WO2020220783A1 - Proxy subscription authorization method and device - Google Patents

Proxy subscription authorization method and device Download PDF

Info

Publication number
WO2020220783A1
WO2020220783A1 PCT/CN2020/074251 CN2020074251W WO2020220783A1 WO 2020220783 A1 WO2020220783 A1 WO 2020220783A1 CN 2020074251 W CN2020074251 W CN 2020074251W WO 2020220783 A1 WO2020220783 A1 WO 2020220783A1
Authority
WO
WIPO (PCT)
Prior art keywords
token
subscription
network function
request
authorization
Prior art date
Application number
PCT/CN2020/074251
Other languages
French (fr)
Chinese (zh)
Inventor
赵绪文
张博
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to PCT/CN2020/082780 priority Critical patent/WO2020220919A1/en
Publication of WO2020220783A1 publication Critical patent/WO2020220783A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0884Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity

Definitions

  • the embodiments of the present application relate to the field of communication technology, and in particular, to an authorization method and device for proxy subscription.
  • the fifth generation mobile communication system adopts a service-based architecture (SBA).
  • SBA service-based architecture
  • 3GPP 3rd generation partnership project
  • eSBA enhancement of service-based architecture
  • the communication between network functions (network fuction, NF) in the core network adopts a service invocation method.
  • NF network fuction
  • eSBA enhanced service-based architecture
  • NF_A subscribes services to NF_B
  • NF_B notifies NF_A of related services after the corresponding conditions are met.
  • SBA or eSBA architecture also supports proxy subscriptions.
  • NF_A can also subscribe to NF_B on behalf of NF_C, and NF_B directly notifies NF_C of related services after the corresponding conditions are met.
  • service subscription, modification and cancellation are all done by NF_A on behalf of NF_C, and NF_C only receives service notifications from NF_B.
  • the embodiment of the present application provides a proxy subscription authorization method and device to solve the problem of how to ensure the security of proxy subscription in the proxy subscription scenario.
  • a proxy subscription authorization method which can be executed by a network function storage function NRF, and the method includes the following steps: the network function storage function NRF receives a token request from a first network function NF, and the command The card request includes the identity of the first NF and the identity of the second NF; the NRF generates a first token based on the token request, and the first token is used to indicate that the first NF has a proxy The second NF has the right to subscribe to the network function service from the third NF, and is used to indicate that the second NF has the right to receive the network function service provided by the third NF; the NRF sends the The first token.
  • NRF is used to authorize and judge the permissions of the two service requesters subscribed by the proxy, and indicate through the token, which can help ensure the security of proxy subscription in the proxy subscription scenario.
  • the NRF receives a token request from the first network function NF; the NRF performs authorization based on the token request, and if the authorization is successful, sends the first token to the first NF; wherein, The authorization includes: determining whether the first NF has the authority to subscribe network function services from the third NF on behalf of the second NF, and determining whether the second NF has the authority to receive network function services provided by the third NF Permissions.
  • NRF is used to authorize and judge the permissions of the two service requesters subscribed by the proxy, and indicate through the token, which can help ensure the security of proxy subscription in the proxy subscription scenario.
  • the token request includes first indication information, and the indication information is used to instruct the first NF to subscribe to the third NF for the network function service on behalf of the second NF;
  • the NRF determines according to the indication information that it needs to be generated for the first token.
  • the first token includes an identifier of the second NF, which is used to determine the information of the second NF after the third NF successfully verifies the token.
  • the first token includes the second indication information, which is used to indicate to the third NF that the first token is the first NF to proxy the second NF Subscribe to the third NF for network function services.
  • the first token is used to indicate that the first NF has the authority to subscribe to the third NF for network function services on behalf of the second NF, and is used to indicate that the second NF has the right to receive The authority of the network function service provided by the third NF.
  • Tokens are used to characterize permissions.
  • the NRF receives a verification request from the third NF, the verification request includes a second token, and the verification request is used to request verification of the second token. Verification; The NRF verifies the second token and returns a verification result to the third NF.
  • the third NF here is the service provider, and NRF can verify the token provided by the service provider to further ensure the security of proxy subscription.
  • the verification includes one or more of the following: performing integrity verification on the second token, and verifying whether the second token is used to indicate that the second NF has Receiving the authority of the network function service provided by the third NF, verifying the validity of the second token, verifying whether the identity of the service provider contained in the token is the same as the identity of the third NF, and Check whether the second token is consistent with the first token.
  • a proxy subscription authorization method is provided.
  • the method can be executed by a first network function NF.
  • the method includes the following steps: the first network function NF sends a token request to the network function storage function NRF, and the command
  • the card request includes the identity of the first NF and the identity of the second NF; the first NF receives a token from the NRF, and the token is used to indicate that the first NF has a proxy for the second NF.
  • the NF has the right to subscribe to the network function service from the third NF, and is used to indicate that the second NF has the right to receive the network function service provided by the third NF.
  • the first NF requests the NRF to perform authorization judgment on the service requester subscribed by the proxy, and indicates through the token, which can help ensure the security of the proxy subscription in the proxy subscription scenario.
  • the first network function NF sends a token request to the network function storage function NRF, the token request is used to request the NRF to perform authorization, and the authorization includes: determining whether the first NF has Acting for the second NF to subscribe to the third NF for the right to subscribe to the network function service, and to determine whether the second NF has the right to receive the network function service provided by the third NF; the first NF receives the order from the NRF brand.
  • the first NF requests the NRF to perform authorization judgment on the service requester subscribed by the proxy, and indicates through the token, which can help ensure the security of the proxy subscription in the proxy subscription scenario.
  • the token request includes the identification of the first NF and the identification of the second NF.
  • the identification of the two service requesters can represent the proxy subscription scenario.
  • the token request includes first indication information, and the first indication information is used to instruct the first NF to proxy the second NF to subscribe to the third NF for network function services.
  • the proxy subscription scenario is characterized by the indication information.
  • the token includes the identifier of the second NF, and is used for determining the information of the second NF after the third NF successfully verifies the token.
  • the first token includes the second indication information for indicating the third NF, and the first token is the proxy of the second NF to the first NF for the first NF.
  • Three NFs subscribe to network function services.
  • the token is used to indicate that the first NF has the authority to subscribe network function services from the third NF on behalf of the second NF, and is used to indicate that the second NF has the right to receive third The authority of network function services provided by NF.
  • Tokens are used to characterize permissions.
  • the first NF sends a subscription request to the third NF, and the subscription request carries the token.
  • the token By carrying the token in the subscription request, it indicates that the two service requesters in the proxy subscription scenario are authorized.
  • the first NF receives a subscription response from the third NF
  • the subscription response carries the token or authorization result
  • the authorization result includes: the second NF has the The authority of the network function service provided by the third NF, and the authority of the first NF to subscribe the network function service from the third NF on behalf of the second NF. If the subscription response carries the token, it can indicate that the token carried in the subscription request has passed the verification or the verification succeeded. If the subscription response carries the authorization result, it can indicate that the service requester subscribed by the proxy has completed the authorization. Further, after receiving the token or authorization result, the first NF may also forward the token or authorization result to the third NF, so as to achieve the purpose of notifying the second NF of whether the authorization is successful.
  • the first NF receives a notification from the third NF, and the notification carries the token or authorization result, and the authorization result includes that the first NF has a proxy for the second NF.
  • the NF has the right to subscribe to the network function service from the third NF, and the second NF has the right to receive the network function service provided by the third NF.
  • the notification carries a token, it can indicate that the token carried in the subscription request passed the verification or the verification succeeded.
  • the notification carries the authorization result it can indicate that the service requester subscribed by the agent has completed the authorization.
  • the first NF may also forward the token or authorization result to the third NF, so as to achieve the purpose of notifying the second NF of whether the authorization is successful.
  • a proxy subscription authorization method is provided.
  • the method can be executed by a third network function NF.
  • the method includes the following steps: the third network function NF receives a subscription request from the first NF, and the subscription request carries Token; the third NF verifies the token contained in the subscription request to obtain a verification result, wherein, if the verification is successful, the first NF has the agent of the second NF to the The third NF has the right to subscribe to the network function service, and the second NF has the right to receive the network function service provided by the third NF; if the verification is unsuccessful, the first NF does not have the authority to proxy the second NF The NF has the right to subscribe to the network function service from the third NF, and the second NF does not have the right to receive the network function service provided by the third NF; the third NF sends a subscription response to the first NF , The subscription response carries the verification result. After the third NF receives the subscription request, it is determined according to the token carried in the subscription
  • the token carries the identity of the second NF. After the token is successfully verified by the third NF, the information of the second NF is determined.
  • the third NF obtains the identity of the second NF from the token when the verification succeeds.
  • the token carries indication information, and the indication information is used to instruct the first NF to subscribe to the third NF for the network function service on behalf of the second NF, so that the third NF can It is learned that the first token is a token used by the first NF to subscribe the network function service from the third NF on behalf of the second NF.
  • the third NF sends an authorization notification to the second NF when the verification succeeds, the authorization notification includes an authorization result, and the authorization result includes that the second NF has received the first 3. Permission of network function services provided by NF.
  • the authorization notification can convey the authorization result to the second NF.
  • the verification includes one or more of the following: performing integrity verification on the token, and verifying whether the token is used to indicate that the second NF has received the information provided by the third NF.
  • Network function service authority verify the validity of the token, verify whether the identity of the service provider contained in the token is the same as the identity of the third NF, and verify that the token and the first Whether the tokens stored in the three NFs are consistent.
  • the subscription request also carries the identifier of the first NF and the identifier of the second NF.
  • the identification of the two service requesters can be used to characterize the subscription request as a proxy subscription scenario.
  • the subscription response also carries the token or authorization result
  • the authorization result includes that the first NF has the authority to subscribe network function services from the third NF on behalf of the second NF, and The second NF has the right to receive the network function service provided by the third NF. If the subscription response carries the token, it can indicate that the token carried in the subscription request has passed the verification or the verification succeeded. If the subscription response carries the authorization result, it can indicate that the service requester subscribed by the proxy has completed the authorization. Further, after receiving the token or authorization result, the first NF may also forward the token or authorization result to the third NF, so as to achieve the purpose of notifying the second NF of whether the authorization is successful.
  • the third NF sends a notification to the first NF, and the notification carries the token or the authorization result, and the authorization result includes that the first NF has a proxy for the second NF to
  • the third NF has the right to subscribe to the network function service and the second NF has the right to receive the network function service provided by the third NF.
  • the notification carries a token, it can indicate that the token carried in the subscription request passed the verification or the verification succeeded.
  • the notification carries the authorization result it can indicate that the service requester subscribed by the agent has completed the authorization.
  • the first NF may also forward the token or authorization result to the third NF, so as to achieve the purpose of notifying the second NF of whether the authorization is successful.
  • a proxy subscription system includes: first network functions NF and NRF.
  • the first network function NF is used to send a token request to the network function storage function NRF, and the token request includes the identity of the first NF and the identity of the second NF;
  • the NRF is used to receive
  • the first NF receives the token request, generates a token based on the token request, and sends a token to the first NF, where the token is used to indicate whether the first NF has a proxy for the
  • the second NF has the right to subscribe to the network function service from the third NF, and is used to indicate whether the second NF has the right to receive the network function service provided by the third NF.
  • the NRF Through the first NF in the proxy subscription scenario, request the NRF to authorize the service requester subscribed by the proxy, and in the proxy subscription scenario through the first NF, request the NRF to perform authorization judgment on the service requester subscribed by the proxy, through NRF
  • the authorization judgment is made on the permissions of the two service requesters subscribed by the proxy, and the token is used to indicate, which can help ensure the security of the proxy subscription in the proxy subscription scenario.
  • the first network function NF is used to send a token request to the network function storage function NRF, where the token request includes the identity of the first NF and the identity of the second NF; NRF is used to receive the token request from the first NF, perform authorization based on the token request, and if the authorization is successful, send a token to the first NF; wherein the authorization includes: judgment Whether the first NF has the authority to subscribe network function services to the third NF on behalf of the second NF, and whether the second NF has the authority to receive network function services provided by the third NF.
  • the NRF Through the first NF in the proxy subscription scenario, request the NRF to authorize the service requester subscribed by the proxy, and in the proxy subscription scenario through the first NF, request the NRF to perform authorization judgment on the service requester subscribed by the proxy, through NRF
  • the authorization judgment is made on the permissions of the two service requesters subscribed by the proxy, and the token is used to indicate, which can help ensure the security of the proxy subscription in the proxy subscription scenario.
  • the token request includes first indication information, and the first indication information is used to instruct the first NF to subscribe for the network function service from the third NF on behalf of the second NF; Make the NRF determine according to the instruction information that the token needs to be generated.
  • the first NF is further configured to send a subscription request to the third NF, and the subscription request carries the token.
  • the token By carrying the token in the subscription request, it indicates that the two service requesters in the proxy subscription scenario are authorized.
  • the token includes the identifier of the second NF, and is used for determining the information of the second NF after the third NF successfully verifies the token.
  • the second indication information is included, and the second indication information is used to instruct the first NF to subscribe for the network function service from the third NF on behalf of the second NF.
  • the system further includes the third NF
  • the third NF is configured to receive a subscription request from the first NF, and verify the token carried in the subscription request to obtain The verification result; wherein, if the verification is successful, the first NF has the authority to subscribe to the third NF for network function services on behalf of the second NF, and the second NF has the right to receive the third NF
  • the authority of the provided network function service if the verification is unsuccessful, the first NF does not have the authority to subscribe to the third NF for the network function service on behalf of the second NF, and the second NF does not have the authority to receive The authority of the network function service provided by the third NF.
  • the third NF After the third NF receives the subscription request, it is determined according to the token carried in the subscription request that it is a proxy subscription scenario, and the token is verified, which can further improve the authorization effect of the proxy subscription scenario and ensure the security of proxy subscription .
  • the third NF is also used to send a subscription response to the first NF, and the subscription response carries the token or authorization result;
  • the authorization result includes that the first NF has a proxy
  • the second NF has the right to subscribe to the network function service from the third NF and the second NF has the right to receive the network function service provided by the third NF;
  • the first NF is also used to subscribe from the third NF The three NFs receive the subscription response.
  • the third NF is further configured to send an authorization notification to the second NF when the verification succeeds, the authorization notification includes an authorization result, and the authorization result includes that the second NF has received
  • the second NF is also used to receive the authorization notification from the third NF. If the subscription response carries the token, it can indicate that the token carried in the subscription request has passed the verification or the verification succeeded. If the subscription response carries the authorization result, it can indicate that the service requester subscribed by the proxy has completed the authorization. Further, after receiving the token or authorization result, the first NF may also forward the token or authorization result to the third NF, so as to achieve the purpose of notifying the second NF of whether the authorization is successful.
  • the verification includes one or more of the following: performing integrity verification on the token, and verifying whether the token is used to indicate that the second NF has received the information provided by the third NF.
  • Network function service authority verify the validity of the token, verify whether the identity of the service provider contained in the token is the same as the identity of the third NF, and verify that the token and the first Whether the tokens stored in the three NFs are consistent.
  • the third NF is also used to send a notification to the first NF, and the notification carries the token or authorization result, and the authorization result includes that the second NF has a receiving first
  • An NF has the authority to subscribe network function services to the third NF on behalf of the second NF and the authority to subscribe network function services provided by the third NF; the first NF is also used to receive from the third NF The notice. If the notification carries a token, it can indicate that the token carried in the subscription request passed the verification or the verification succeeded. If the notification carries the authorization result, it can indicate that the service requester subscribed by the agent has completed the authorization. Further, after receiving the token or authorization result, the first NF may also forward the token or authorization result to the third NF, so as to achieve the purpose of notifying the second NF of whether the authorization is successful.
  • the token request includes the identification of the first NF and the identification of the second NF.
  • the identification of the two service requesters can represent the proxy subscription scenario.
  • a proxy subscription authorization method may be a service communication agent SCP.
  • the method may be executed by the following steps: SCP receives a subscription request from a first network function NF, and the subscription request is used for The first NF requests the proxy second NF to subscribe to the third NF for network function services; the SCP determines that the second NF has the authority to receive the network function services provided by the third NF; The second NF sends an authorization notification, where the authorization notification is used to indicate that the second NF has the right to receive the network function service provided by the third NF.
  • the SCP is used to judge the permissions of the two service requesters subscribed by the proxy, which can help ensure the security of the proxy subscription in the proxy subscription scenario.
  • the subscription request includes one or more tokens; the SCP determines that the second NF has the right to receive the network function service provided by the third NF, which is implemented in the following manner: Based on the one or more tokens, the SCP determines that the second NR has the right to receive the network function service provided by the third NF.
  • One token may indicate that the first NF has the authority to subscribe network function services to the third NF on behalf of the second NF, and the second NF has the authority to receive network function services provided by the third NF.
  • the multiple tokens may be, for example, two tokens.
  • Such a token is used to indicate that the first NF has the authority to subscribe to the third NF on behalf of the second NF, and the other token is used to indicate the third NF.
  • the second NF has the right to receive the network function service provided by the third NF.
  • the SCP verifies the token; the verification includes one or more of the following: integrity verification of the token, verification of whether the token is used to indicate the second
  • the NF has the authority to receive the network function service provided by the third NF and verify the validity of the token. The verification fails when any one of the verifications is unsuccessful, and the verification succeeds when all verifications are successful. Specifically, it is necessary to check whether the subscription request contains the identity of the third NF. It is also necessary to verify whether the identifier of the service producer (service producer) included in the audience claim in the token is the same as the identifier of the third NF queried by the SCP.
  • the SCP can obtain the identity of the third NF by querying based on locally configured information, and can also obtain the identity of the third NF by querying based on the information obtained from the NRF. It can also verify whether the third NF can provide the subscribed network function service.
  • the SCP sends an authorization notification to the second NF, the authorization notification includes the authorization result, and the authorization result includes that the first NF has a proxy for the second NF to subscribe to the third NF
  • the authority of the network function service, and the second NF has the authority to receive the network function service provided by the third NF.
  • the SCP sends a token to the second NF, indicating through the token that the first NF has the authority to subscribe network function services to the third NF on behalf of the second NF, and that the second NF has the right to receive the third NF.
  • the authority of network function services provided by NF is if the verification is successful, the SCP sends an authorization notification to the second NF, the authorization notification includes the authorization result, and the authorization result includes that the first NF has a proxy for the second NF to subscribe to the third NF The authority of the network function service, and the second NF has the authority to receive the network function service provided by the third NF.
  • the SCP sends a token to the second NF
  • the one or more tokens include a first token and a second token; the first token is used to indicate that the first NF has proxy for the second NF to the The third NF has the right to subscribe to the network function service; the second token is used to indicate that the second NF has the right to receive the network function service provided by the third NF.
  • the SCP determines that the second NF has the authority to receive network function services provided by the third NF, which is implemented in the following manner: the SCP sends an authorization request to the NRF; The NRF receives a response to the authorization request, where the response is used to indicate that the second NF has the right to receive the network function service provided by the third NF. Performing authorization judgment through NRF and returning the authorization result to SCP can improve the security in the proxy subscription scenario.
  • an authorization method for proxy subscription is provided.
  • the method can be executed by a third network function NF.
  • the method includes: the third NF receives a subscription request from the first NF, and the subscription request is used for the first NF.
  • the NF acts for the second NF to subscribe to the third NF for network function services; the third NF determines that the second NF has the authority to receive the network function services provided by the third NF; the third NF subscribes to the second NF
  • the NF sends an authorization notification, where the authorization notification is used to indicate that the second NF has the right to receive the network function service provided by the third NF. Judging the authority of the two service requesters in the subscription request through the third NF can improve the security of proxy subscription.
  • the third NF determines whether the first NF has the authority to subscribe network function services to the third NF on behalf of the second NF, and determines whether the second NF has the right to receive the first NF. For the authority of the network function service provided by the third NF, if both of the judgment results are yes, the authorization result obtained by the third NF is yes.
  • the subscription request includes one or more tokens; the third NF verifies the tokens included in the subscription request, and when the verification succeeds, determines the second NF Have the authority to receive network function services provided by the third NF, wherein the verification includes one or more of the following: integrity verification of the token, and verification of whether the token is used to indicate that the second NF has Receive the authority of the network function service provided by the third NF and verify the validity of the token.
  • the verification fails when any one of the verifications is unsuccessful, and the verification succeeds when all verifications are successful. Specifically, it is necessary to check whether the subscription request contains the identity of the third NF.
  • the subscription request includes a first token and a second token; the first token is used to indicate that the first NF has a proxy for the second NF to subscribe to the third NF The authority of the network function service; the second token is used to indicate that the second NF has the authority to receive the network function service provided by the third NF.
  • an authorization device for proxy subscription which has the function of realizing the NRF behavior in any possible design of the first aspect and the first aspect.
  • the function can be realized by hardware, or by hardware executing corresponding software.
  • the hardware or software includes one or more modules corresponding to the above-mentioned functions.
  • the device can be a chip or an integrated circuit.
  • the device includes a memory and a processor, the memory stores a set of programs, and the processor is used to execute the programs stored in the memory.
  • the device can execute the first aspect and the first aspect. Any of the possible designs described in the method.
  • the device also includes a transceiver for communication between the device and other functions.
  • the device is NRF.
  • an authorization device for proxy subscription which has the function of implementing the first NF behavior in any possible design of the second aspect and the second aspect.
  • the function can be realized by hardware, or by hardware executing corresponding software.
  • the hardware or software includes one or more modules corresponding to the above-mentioned functions.
  • the device can be a chip or an integrated circuit.
  • the device includes a memory and a processor, the memory stores a set of programs, and the processor is used to execute the programs stored in the memory.
  • the device can execute the second aspect and the second aspect. Any of the possible designs described in the method.
  • the device also includes a transceiver for communication between the device and other functions.
  • the device is NF.
  • an authorization device for proxy subscription has the function of realizing the third NF behavior in any possible design of the third aspect and the third aspect.
  • the function can be realized by hardware, or by hardware executing corresponding software.
  • the hardware or software includes one or more modules corresponding to the above-mentioned functions.
  • the device can be a chip or an integrated circuit.
  • the device includes a memory and a processor.
  • the memory stores a set of programs.
  • the processor is used to execute the programs stored in the memory.
  • the device can execute the third aspect and the third aspect. Any of the possible designs described in the method.
  • the device also includes a transceiver for communication between the device and other functions.
  • the device is NF.
  • an authorization device for proxy subscription which has the function of realizing SCP behavior in any possible design of the fifth aspect and the fifth aspect.
  • the function can be realized by hardware, or by hardware executing corresponding software.
  • the hardware or software includes one or more modules corresponding to the above-mentioned functions.
  • the device can be a chip or an integrated circuit.
  • the device includes a memory and a processor.
  • the memory stores a set of programs.
  • the processor is used to execute the programs stored in the memory.
  • the device can execute the fifth aspect and the fifth aspect. Any of the possible designs described in the method.
  • the device also includes a transceiver for communication between the device and other functions.
  • the device is an SCP.
  • an authorization device for proxy subscription which has the function of realizing the third NF behavior in any possible design of the sixth aspect and the sixth aspect.
  • the function can be realized by hardware, or by hardware executing corresponding software.
  • the hardware or software includes one or more modules corresponding to the above-mentioned functions.
  • the device can be a chip or an integrated circuit.
  • the device includes a memory and a processor.
  • the memory stores a set of programs.
  • the processor is used to execute the programs stored in the memory.
  • the device can execute the sixth aspect and the sixth aspect. Any of the possible designs described in the method.
  • the device also includes a transceiver for communication between the device and other functions.
  • the device is NF.
  • a chip is provided, the chip is connected to a memory or the chip includes a memory, and is used to read and execute a software program stored in the memory, so as to realize the above aspects and any possible The method described in the design.
  • a computer storage medium is provided, and a computer program is stored.
  • the computer program includes instructions for executing the foregoing aspects and any possible design method in each aspect.
  • a computer program product is provided.
  • the computer reads and executes the computer program product, the computer executes the above aspects and the methods described in any possible design of the aspects.
  • Figure 1a is one of the schematic diagrams of the servicing architecture system in an embodiment of the application
  • Figure 1b is the second schematic diagram of the service-oriented architecture system in the embodiment of the application.
  • Figure 2 is a schematic flow diagram of one of the authorization methods for proxy subscription in an embodiment of the application
  • FIG. 3 is a schematic diagram of the second flow of the authorization method for proxy subscription in an embodiment of the application
  • FIG. 4 is a schematic diagram of the third process of the authorization method for proxy subscription in an embodiment of the application.
  • Figure 5 is a schematic diagram of the fourth process of the proxy subscription authorization method in an embodiment of the application.
  • Fig. 6 is a schematic diagram of the fifth process of the authorization method for proxy subscription in an embodiment of the application.
  • FIG. 7 is a schematic diagram of the sixth process of the authorization method for proxy subscription in an embodiment of the application.
  • FIG. 8 is one of the structural diagrams of the authorization device for proxy subscription in an embodiment of the application.
  • Figure 9 is the second structural diagram of the authorization device for proxy subscription in an embodiment of the application.
  • FIG. 10 is a schematic flowchart of another subscription authorization method in an embodiment of the application.
  • Fig. 11 is a schematic flowchart of another subscription authorization method in an embodiment of the application.
  • the embodiments of the application provide a proxy subscription authorization method, device, and system, which are used to realize the security of proxy subscription.
  • the method and the device are based on the same inventive concept. Since the principles of the method and the device to solve the problem are similar, the implementation of the device and the method can be referred to each other, and the repetition will not be repeated.
  • "and/or" describes the association relationship of the associated objects, indicating that there can be three relationships, for example, A and/or B, which can mean: A alone exists, and both A and B exist at the same time. There are three cases of B.
  • the character "/" generally indicates that the associated objects are in an "or” relationship.
  • At least one involved in this application refers to one or more; multiple refers to two or more.
  • words such as “first” and “second” are only used for the purpose of distinguishing description, and cannot be understood as indicating or implying relative importance, nor can it be understood as indicating Or imply the order.
  • the communication method provided in the embodiments of the present application can be applied to a 5G communication system or various future communication systems.
  • Figure 1a shows a possible service-oriented architecture system to which the proxy subscription authorization method provided in an embodiment of the present application is applicable.
  • the service-oriented architecture system 100 includes at least three NF101. This application takes three NFs as examples, which can be denoted as NF_A, NF_B and NF_C. NF_A, NF_B, and NF_C are denoted by reference numerals 101_a, 101_b, and 101_c.
  • the service-oriented architecture 100 further includes a network repository function (NRF) 102.
  • NRF network repository function
  • the service-oriented architecture 100 further includes a service communication proxy (SCP) 103.
  • SCP service communication proxy
  • NF101 is a network function in the core network, and each NF adopts a service-oriented interface to realize communication through service invocation.
  • NRF102 is used for registration and discovery of NF101, saves the registration information of each NF in the same PLMN, acts as an authorization server to complete authorization and generate tokens, and verify tokens.
  • SCP103 is used for forwarding communication between NFs, realizing load balancing and NF selection, as well as having NF registration, discovery and authorization functions.
  • the NF in this application can be any NF.
  • FIG. 1b shows a possible architecture of a communication system based on a service-oriented interface in a non-roaming scenario.
  • NF_A can be NEF
  • NF_B can be AMF
  • NF_C can be UDM.
  • the system architecture includes network open function network elements, policy control function network elements, data management network elements, application function network elements, core network access and mobility management function network elements, session management function network elements, Terminal equipment, access network equipment, user plane function network element UPF and data network.
  • Core network access and mobility management function network elements and terminal equipment can be connected through N1 interface
  • core network access and mobility management function network elements and access network equipment can be connected through N2 interface
  • access network equipment It can be connected to the user plane function network element through the N3 interface
  • the session management function network element and the user plane function network element can be connected through the N4 interface
  • the user plane function network element and the data network can be connected through the N6 interface.
  • the interface name is just an example.
  • the data network such as a data network (DN) can be the Internet, an IP Multi-media Service (IMS) network, or a local network (ie, a local network, such as mobile edge computing). (mobile edge computing, MEC) network) and so on.
  • the data network includes an application server, and the application server provides business services for the terminal device by performing data transmission with the terminal device.
  • the core network access and mobility management function network element can be used to manage the access control and mobility of the terminal device. In practical applications, it includes the mobile network framework in the long term evolution (LTE).
  • the mobility management function in the management entity mobility management entity, MME
  • MME mobility management entity
  • the access management function is added, which can be specifically responsible for the registration of the terminal equipment, mobility management, tracking area update procedures, reachability detection, and session management Selection of functional network elements, mobile state transition management, etc.
  • the core network access and mobility management function network element may be an AMF (access and mobility management function) network element.
  • the core network access and mobility management function network elements may still be AMF network elements or have other names, which are not limited by this application.
  • the core network access and mobility management function network element is an AMF network element, the AMF may provide Namf service.
  • the session management function network element can be used to be responsible for the session management of the terminal device (including the establishment, modification and release of the session), the selection and reselection of the user plane function network element, and the Internet protocol (IP) of the terminal device. ) Address allocation, quality of service (QoS) control, etc.
  • the session management function network element may be an SMF (session management function) network element.
  • SMF session management function
  • the session management function network element may still be an SMF network element, or there may be other The name is not limited in this application.
  • the SMF can provide the Nsmf service.
  • the policy control function network element can be used to be responsible for policy control decision-making, to provide functions such as service data flow and application detection, gating, QoS, and flow-based charging control.
  • the policy control function network element may be a PCF (policy control function) network element.
  • the policy control function network element may still be a PCF network element, or there may be other The name is not limited in this application.
  • the PCF network element may provide Npcf service.
  • the main function of the application function network element is to interact with the 3rd generation partnership project (3GPP) core network to provide services to influence service flow routing, access network capability opening, policy control, etc.
  • 3GPP 3rd generation partnership project
  • the application function network element may be an AF (application function) network element.
  • the application function network element may still be an AF network element or have other names.
  • the application is not limited.
  • the AF network element may provide Naf services.
  • the data management network element can be used to manage the contract data of the terminal device, the registration information related to the terminal device, and the like.
  • the data management network element may be a unified data management network element (unified data management, UDM).
  • UDM unified data management network element
  • future communications such as 6G
  • the data management network element may still be a UDM network element, or Other names are not limited in this application.
  • the UDM network element may provide Nudm services.
  • Network open function network elements can be used to enable 3GPP to securely provide network service capabilities to third-party AFs (for example, Service Capability Server (SCS), Application Server (AS), etc.).
  • SCS Service Capability Server
  • AS Application Server
  • the network opening function network element may be NEF (network exposure function).
  • NEF network exposure function
  • future communications such as 6G
  • the network opening function network element may still be a NEF network element or have other names. This application is not limited.
  • the NEF may provide Nnef services to other network function network elements.
  • Namf is a service-based interface presented by AMF.
  • Nsmf is a service-based interface presented by SMF.
  • Nnef is a service-based interface presented by NEF.
  • Npcf is a service-based interface presented by PCF.
  • Nudm is a service-based interface presented by UDM.
  • Naf is a service-based interface presented by AF.
  • Nnrf is a service-based interface presented by NRF.
  • Nausf is the service-based interface presented by AUSF.
  • the system architecture may also include other network elements, such as network slice selection function (NSSF), authentication server function (authentication server function, AUSF), etc., which are not listed here.
  • NSSF network slice selection function
  • AUSF authentication server function
  • AUSF authentication server function
  • Each network element described in Figure 1b may also be called functional entities or functions.
  • Each network element may be a network element implemented on dedicated hardware, or an instance of software running on dedicated hardware, or an instance of virtualized function on an appropriate platform.
  • NF_A proxying NF_C to subscribe to NF_B means: NF_A sends a subscription request to NF_B, and NF_B determines that NF_A proxy NF_C subscribes to NF_B after receiving the subscription request. When the conditions are met, NF_B directly sends a notification to NF_C. The notification is used to provide Subscription service. In this way, NF_A proxy NF_C to subscribe service to NF_B.
  • proxy subscription can also be implemented in a request-response manner.
  • NF_A proxying NF_C to subscribe to NF_B can also be understood as NF_A proxying NF_C to request service from NF_B.
  • the proxy subscription scenario can be extended to NF_A proxy NF_C request to NF_B to use network function services.
  • the NF identifiers involved in this application include: the instance ID of the NF, and/or the Uniform Resource Identifier (URI) of the NF, and/or the notification endpoint of the NF, and/or Or NF's Notification Target Address, and/or Notification Correlation ID, and/or Notification Uniform Resource Locator (Notification URL), and/or Notification Uniform Resource ID ( Notification Uniform Resource Identifier, Notification URI), and/or Callback Uniform Resource Locator (Callback URL), and/or Callback Reference (Callback Reference), and/or other forms that can uniquely identify NF ID or address information.
  • the following embodiments take the instance ID of the NF and/or the URI of the NF as an example to describe the authorization method of proxy subscription.
  • the token concept involved in this application is used to indicate the calling authority of the network function service. Any one or more of the following information can be included in the token:
  • Service requester NF ID service provider NF ID, service provider NF type, service provider NF service type, service requester NF service type, service name (Service Name(s)), NRF ID , Public Land Mobile Network ID (Public Land Mobile Network ID, PLMN ID), Expiration Time (Expiration Time), single network slice selection assistance information (S-NSSAI), NF set identification (NF set ID), service instance set ID, service zone ID, service area, data network name (Data Network Name, DNN), tracking area ID (Tracking Area ID, TAI) ), public land mobile network ID (Public Land Mobile Network ID, PLMN ID), location information of the target network function or network function service (location information of the target NF or NF service), event ID (Event ID(s)), Event List, Subscription Change Notification Uniform Resource Identifier, Subscription Change Notification Correlation ID, Subscription Permanent Identifier (SUPI), Group ID (Group ID), Generic Public Subscription Identifier (GPSI), Permanent Equipment Identifier (PEI). Different tokens can also be distinguished
  • an authorization process is added during the proxy subscription process to ensure the security of the proxy subscription.
  • the embodiments described below involve interactions between multiple NFs.
  • the multiple NFs include a first NF, a second NF, a third NF, NRF, and SCP.
  • the first NF corresponds to the aforementioned NF_A
  • the second NF corresponds to the aforementioned NF_C
  • the third NF corresponds to the aforementioned NF_B.
  • the first NF acts for the second NF to subscribe services to the third NF.
  • the network function service provided by the service provider or service producer in this application may also be referred to as service for short.
  • One of the following authorization methods for proxy subscription and the second method for proxy subscription is based on the interaction between four network functions, including the first NF, NRF, second NF, and third NF.
  • the first NF sends a token request to the NRF, and the NRF receives the token request from the first NF.
  • This token request is used to request execution authorization.
  • the process of performing authorization includes: determining whether the first NF has the authority to send a subscription request to the third NF, for example, whether the first NF has the authority to subscribe to the third NF for network function services on behalf of the second NF.
  • the authorization process also includes: determining whether the second NF has the authority to receive the network function service provided by the third NF.
  • the token request carries the identity of the service consumer (service consumer), that is, the identity of the first NF and the identity of the second NF. For example, it carries the instance ID and/or uniform resource identifier (URI) of the first NF, and the instance ID and/or uniform resource identifier (URI) of the second NF.
  • the token request may also carry the network function service for which the subscription is requested, the type of service producer and/or the service producer's identifier.
  • the service provider is the third NF.
  • the instance ID and/or uniform resource identifier (URI) of the third NF are carried, and/or the type of the third NF (NF type).
  • the token request can also carry an event ID (Event ID(s)), and/or an event list (Event List), and/or a subscription change notification uniform resource identifier (Subscription Change Notification Uniform Resource Identifier), and/or subscription Change Notification Correlation ID (Subscription Change Notification Correlation ID), and/or Subscription Permanent Identifier (SUPI), and/or Group ID (Group ID), and/or General Public Subscription Identifier (Generic Public Subscription Identifier) , GPSI), and/or Permanent Equipment Identifier (PEI).
  • the token request may also carry other parameters required for authorization and token generation.
  • the token request may also carry an indication information, which is used to indicate that the first NF is requesting a token in the proxy subscription scenario, that is, indicating that the NRF needs to determine whether the second NF has the ability to receive the third NF.
  • an indication information which is used to indicate that the first NF is requesting a token in the proxy subscription scenario, that is, indicating that the NRF needs to determine whether the second NF has the ability to receive the third NF.
  • Provides the authority of the network function service and instructs the NRF to determine whether the first NF has the authority to send a subscription request to the third NF, specifically whether the first NF has the authority to subscribe to the third NF for the network function service on behalf of the second NF.
  • S200 is further included before S201.
  • the second NF sends NF information to the first NF, and the first NF receives the NF information from the second NF.
  • the NF information includes the identifier of the second NF, such as the instance ID and/or the uniform resource identifier (URI) of the second NF.
  • the NF information further includes an event identifier (Event ID(s)), and/or an event list (Event List), and/or a subscription change notification uniform resource identifier (Subscription Change Notification Uniform Resource Identifier), and/ Or subscription change notification related uniform resource identifier (Subscription Change Notification Correlation ID), and/or subscription permanent identifier (Subscription Permanent Identifier, SUPI), and/or group identifier (Group ID), and/or general public subscription identifier (Generic Public Subscription Identifier, GPSI), and/or Permanent Equipment Identifier (PEI).
  • Event ID(s) Event ID(s)
  • Event List event list
  • subscription change notification uniform resource identifier Subscribescription Change Notification Uniform Resource Identifier
  • subscription change notification related uniform resource identifier Subscribescription Change Notification Correlation ID
  • subscription permanent identifier Subscribescription Permanent
  • the first NF can obtain the information of the second NF.
  • the identification of the second NF carried in the token request in S201 may be derived from S200, or may be pre-configured or stored by the first NF.
  • the NRF generates a token based on the received token request.
  • the NRF first determines according to the token request that what the first NF requests is a token in the proxy subscription scenario. Specifically, the NRF can be determined according to the service invocation name of the token request. The service invocation name of the token request in this application is different from the service invocation name of the token request in the prior art; or, the NRF is based on the token The indication information carried in the request is determined; or NRF is determined according to the identifiers (instance ID and/or URI) of the two service requesters carried in the token request; or NRF determines the current first NF request according to other methods It is the token in the proxy subscription scenario.
  • the NRF can determine whether the first NF has the authority to subscribe to the third NF for network function services on behalf of the second NF, and determine whether the second NF has the authority to receive network function services provided by the third NF.
  • the method for judging authority can be, for example, the NRF can be based on the identity of the first NF, the identity of the second NF, the identity and/or type of the service provider (that is, the third NF), and/or the token carried in the token request. Other information in the request is combined with locally configured policies or authorization information to determine permissions.
  • the NRF determines that the second NF has the right to receive the network function service provided by the third NF, and the first NF has the right to subscribe to the third NF for the network function service on behalf of the second NF, it generates a token.
  • the generated token contains the identifications of the first NF and the second NF.
  • the specific NF identification may be the NF Instance ID, and/or the URI of the NF, and/or other forms of ID or address information that can uniquely identify the NF.
  • the token may also include an event ID (Event ID(s)), and/or an event list (Event List), and/or a subscription change notification uniform resource identifier (Subscription Change Notification Uniform Resource Identifier), and/or subscription Change Notification Correlation ID (Subscription Change Notification Correlation ID), and/or Subscription Permanent Identifier (SUPI), and/or Group ID (Group ID), and/or General Public Subscription Identifier (Generic Public Subscription Identifier) , GPSI), and/or Permanent Equipment Identifier (PEI), and/or other parameters required for authorization and token generation.
  • Event ID(s) Event ID(s)
  • Event List Event List
  • a subscription change notification uniform resource identifier Subscribescription Change Notification Uniform Resource Identifier
  • the identifiers of the first NF and the second NF in the token are included in the subject claim, specifically, it can be subject claim the extended length, the first half of the subject claim fills in the identity of the first NF, and the second half of the subject claim fills in the second NF. Or the first half of the subject claim is to fill in the identification of the second NF, and the second half of the subject claim is to fill in the identification of the first NF. It can also be a newly defined subject claim, for example, subject claim-new, where subject claim fills in the identification of the first NF, and subject claim-new fills in the identification of the second NF; or the subject claim fills in the identification of the second NF, subject Fill in the identification of the first NF in claim-new.
  • This application does not restrict how the token carries the identity of the first NF and the identity of the second NF.
  • the other information in the token may be included in the Token Claim, and this application does not restrict how the token carries other information in the token.
  • the token may also carry an indication information, the indication information is used to indicate that the token is a token in a proxy subscription scenario, for example, the indication information is used to instruct the first NF to proxy the second NF Subscribe to the third NF for network function services.
  • the process ends, and a message may also be sent to the first NF to indicate the determination result.
  • the NRF sends a token response to the first NF, and the first NF receives the token response from the NRF.
  • the token response is used to respond to the token request in S201.
  • the token response carries the token generated by NRF.
  • the token is used to indicate that the first NF has the authority to subscribe to the third NF for network function services on behalf of the second NF and indicates that the second NF has the authority to receive network function services provided by the third NF.
  • NRF can determine the authority of agent subscription and improve the security of agent subscription.
  • the first NF sends a subscription request (subscribe request) to the third NF, and the third NF receives the subscription request from the first NF.
  • the subscription request is used by the first NF to request the proxy of the second NF to subscribe to the network function service from the third NF.
  • the subscription request includes the above token, the instance ID and/or uniform resource identifier (URI) of the first NF, and the instance ID and/or uniform resource identifier (URI) of the second NF.
  • the subscription request may also carry the network function service for which the subscription is requested, the type of service producer, and/or the identifier of the service producer.
  • the service provider is the third NF.
  • the instance ID and/or uniform resource identifier (URI) of the third NF are carried, and/or the type of the third NF (NF type).
  • the subscription request may also carry an event ID (Event ID(s)), and/or an event list (Event List), and/or a subscription change notification uniform resource identifier (Subscription Change Notification Uniform Resource Identifier), and/or subscription Change Notification Correlation ID (Subscription Change Notification Correlation ID), and/or Subscription Permanent Identifier (SUPI), and/or Group ID (Group ID), and/or General Public Subscription Identifier (Generic Public Subscription Identifier) , GPSI), and/or Permanent Equipment Identifier (PEI).
  • Event ID(s) Event ID
  • Event List Event List
  • a subscription change notification uniform resource identifier Subscription Change Notification Uniform Resource Identifier
  • subscription Change Notification Correlation ID Subscription Change Notification Correlation ID
  • SUPI Subscription Permanent Identifier
  • Group ID Group ID
  • General Public Subscription Identifier Generic Public Subscription Identifier
  • GPSI GlobalI
  • Permanent Equipment Identifier PKI
  • the first NF determines that the first NF has the authority to subscribe the network function service to the third NF on behalf of the second NF, and then sends a subscription request to the third NF.
  • the third NF verifies the token included in the subscription request, and if the verification succeeds, then executes S206; otherwise, if the token verification fails, the third NF ends the process, or sends a subscription response to the first NF ,
  • the subscription response contains subscription failure, or token verification failure information, or other information indicating that the process failed.
  • the third NF determines that the second NF has the authority to receive network function services provided by the third NF, and determines that the first NF has the authority to subscribe to the third NF for network function services on behalf of the second NF. Permissions.
  • token verification includes one or more of the following: integrity verification of the token, verification of whether the token is used to indicate that the second NF has the authority to receive network function services provided by the third NF, and verification order The validity of the card. The verification fails when any one of the verifications is unsuccessful, and the verification succeeds when all verifications are successful. Specifically, it is necessary to check whether the subscription request contains the identity of the third NF. It is also necessary to verify whether the identifier and/or type of the service producer (service producer) included in the Audience Claim in the token is the same as the identifier and/or type of the third NF. It can also verify whether the third NF can provide the network function service in the subscription request.
  • integrity verification of the token verification of whether the token is used to indicate that the second NF has the authority to receive network function services provided by the third NF
  • verification order The validity of the card. The verification fails when any one of the verifications is unsuccessful, and the verification succeeds when all verifications are successful.
  • the network function services that the third NF can provide include service 1, service 2, and service 3.
  • the token indicates that the authorized service is service 4
  • the verification fails.
  • the token has a validity period. When the token is within the validity period, it is valid. After the validity period, the token becomes invalid.
  • the verification succeeds only when the token is within the validity period. It can also verify whether the information contained in the token is consistent with the corresponding information in the subscription request.
  • verification token is applicable to the process of verifying the token in the full text.
  • the third NF may verify the token through NRF. Specifically, after receiving the subscription request, the third NF sends a verification request to the NRF. The NRF receives the verification request from the third NF, and verifies the token contained in the verification request. The NRF replies the verification result to the third NF. If the verification is successful, the third NF executes S206 and S207. Otherwise, the third NF process ends, or a subscription response is replies to the first NF, and the subscription response includes subscription failure or token verification failure information, or other information indicating that the process fails.
  • NRF when NRF verifies the token, in addition to the above-mentioned token verification, it can also verify whether the token is consistent with the stored token, or whether the token is consistent with the first NF The token contained in the sent token response is consistent. If they are consistent, the verification is successful, otherwise the verification fails. Consistency means that the information indicated by the instruction board is the same.
  • the process of calibrating the token through NRF can replace S205.
  • the third NF sends an authorization notification to the second NF, and the second NF receives the authorization notification from the third NF.
  • the authorization notification carries the authorization result, and the authorization notification is used to indicate whether the second NF has the authority to receive the network function service provided by the third NF.
  • the second NF can save the authorization result in the authorization notification.
  • the authorization notification may also include a token.
  • the second NF learns the authorization result through the token. That is, the second NF learns from the token whether the second NF has the right to receive the network function service provided by the third NF, and it can also be known that the first NF has the right to subscribe to the third NF for the network function service on behalf of the second NF.
  • the third NF sends a subscription response (subscribe response) to the first NF, and the first NF receives the subscription response from the third NF.
  • the subscription response may carry the authorization result, which is used to indicate that the first NF has the authority to subscribe to the third NF for the network function service from the second NF.
  • the third NF may also carry the authorization result in the subscription response, and the authorization result includes: the first NF has a proxy, the second NF subscribes to the network from the third NF The authority of the functional service, and whether the second NF has the authority to receive the network function service provided by the third NF; or, the third NF carries a token that is successfully verified in the subscription response.
  • the first NF determines that the authorization is successful according to the token carried in the subscription response or the authorization result. Further, the first NF may also notify the second NF of the token or authorization result.
  • these operations may also be included in the case of performing S206.
  • the third NF may also send the authorization result that the authorization is unsuccessful to the first NF, that is, indicate that the first NF does not have the authority to subscribe to the third NF for network function services on behalf of the second NF, Or indicate that the second NF does not have the right to receive the network function service provided by the third NF. In this case, S206 is omitted.
  • S206 and S207 do not have a strict execution order and can be executed in an exchange order.
  • the third NF provides network function services to the second NF according to the subscribed network function services.
  • the third NF when the subscription condition is met, the third NF sends a notification (notify) to the second NF, and the notification includes the network function service provided by the third NF.
  • the third NF may also send a notification to the first NF, and the notification carries information such as service modification or unsubscription.
  • Each NF is located in two different public land mobile networks (PLMN).
  • PLMN public land mobile networks
  • the interaction between NFs is forwarded through the SCP serving it.
  • the token request sent by the first NF is forwarded by the NRF in the PLMN where the first NF is located to the NRF in the PLMN where the third NF is located.
  • the token response sent by the NRF in the PLMN where the third NF is located is forwarded to the first NF by the NRF in the PLMN where the first NF is located.
  • the generation and authorization of the token is completed by the NRF in the PLMN where the third NF is located.
  • the token verification is also completed by the NRF in the PLMN where the third NF is located.
  • Other processing procedures are the same as those described in one of the authorization methods for proxy subscription.
  • the embodiment of this application provides the second method for authorization of proxy subscription.
  • the main content includes: the first NF and the second NF respectively send a token request to the NRF, and the NRF generates two tokens for the token request respectively sent by the first NF and the second NF.
  • the first token and the second token are used to represent these two tokens.
  • the first token is requested by the first NF and sent to the first NF by the NRF.
  • the second token is requested by the second NF and sent by the NRF to the second NF.
  • the first token is used to indicate that the first NF has the authority to subscribe to the third NF for network function services on behalf of the second NF; the second token is used to indicate that the second NF has the authority to receive network function services provided by the third NF.
  • the first NF sends a notification message to the second NF, and the second NF receives the notification message from the first NF.
  • the notification message is used to instruct the second NF to request a token. For example, instruct the second NF to send a token request to the NRF to obtain the token.
  • the notification message can carry the following information:
  • the identity of the first NF such as the instance ID and/or URI of the first NF.
  • the notification also carries the type of service producer (service producer) and/or the identifier of the service producer (service producer).
  • the service provider is the third NF.
  • the notification also carries other parameters required for authorization and token generation.
  • the notification message further includes an event ID (Event ID(s)), and/or an event list (Event List), and/or a subscription change notification uniform resource identifier (Subscription Change Notification Uniform Resource Identifier), and/ Or subscription change notification related uniform resource identifier (Subscription Change Notification Correlation ID), and/or subscription permanent identifier (Subscription Permanent Identifier, SUPI), and/or group identifier (Group ID), and/or general public subscription identifier (Generic Public Subscription Identifier, GPSI), and/or Permanent Equipment Identifier (PEI).
  • the second NF sends a token request to the NRF, and the NRF receives the token request from the second NF.
  • the token request is used to request execution authorization, and the execution authorization process includes: judging whether the second NF has the authority to receive the network function service provided by the third NF.
  • the token request carries the identifier of the service consumer (service consumer), that is, the identifier of the second NF. For example, the instance ID and/or the uniform resource identifier (URI) of the second NF are carried.
  • the token request also carries the network function service for which subscription is requested, the type of service producer and/or the identifier and/or type of service producer. In this embodiment, the service provider is the third party. NF.
  • the token request also carries other parameters required for authorization and token generation. Please refer to the relevant description of the parameters included in the token request in S201, which will not be repeated here.
  • the first NF sends a token request to the NRF, and the NRF receives the token request from the first NF.
  • the token request is used to request execution authorization.
  • the process of performing authorization includes: determining whether the first NF has the authority to send a subscription request to the third NF, for example, whether the first NF has the authority to subscribe to the third NF for network function services on behalf of the second NF.
  • the token request carries the identity of the service consumer (service consumer), that is, the identity of the first NF, and also carries the identity of the second NF, which represents a proxy subscription scenario. For example, it carries the instance ID and/or uniform resource identifier (URI) of the first NF, and the instance ID and/or uniform resource identifier (URI) of the second NF.
  • service consumer that is, the identity of the first NF
  • URI uniform resource identifier
  • URI uniform resource identifier
  • the token request also carries the network function service for which the subscription is requested, the type of service producer and/or the identifier of the service producer.
  • the service provider is the third NF.
  • the notification also carries other parameters required for authorization and token generation. Please refer to the relevant description of the parameters included in the token request in S201, which will not be repeated here.
  • the token request sent by the first NF to the NRF is recorded as the first token request
  • the token request sent by the second NF to the NRF is recorded as the second token request.
  • both the first token request and the second token request may also carry an indication information, and the indication information is used to indicate the token in the scenario of requesting proxy subscription.
  • the first token request is used to obtain the calling authority of the network function service provided by the third NF. For example, it is requested to obtain whether the first NF has the authority to send a subscription request to the third NF, or whether the first NF has the authority to subscribe network function services to the third NF on behalf of the second NF.
  • the second token request is used to obtain the calling authority of the network function service provided by the third NF. For example, it is requested to obtain whether the second NF has the authority to receive the network function service provided by the third NF.
  • S300 is further included before S301.
  • the NRF determines whether the first NF has the authority to subscribe to the third NF for the network function service on behalf of the second NF, and if so, generates the first token;
  • the NRF determines whether the second NF has the authority to receive the network function service provided by the third NF based on the received second token request, and if so, generates the second token.
  • the first token request received by the NRF from the first NF may also carry an indication information, and the indication information is used to instruct the first NF to subscribe for the network function service from the third NF on behalf of the second NF.
  • the second token request received by the NRF from the second NF may also carry an indication information, and the indication information is used to instruct the first NF to subscribe to the third NF for the network function service on behalf of the second NF.
  • the NRF determines that the current first NF request is the token in the proxy subscription scenario.
  • the NRF may be determined according to the service call name of the first token request and/or the second token request, where the service call name of the token request is different from the service call name of the token request in the prior art;
  • the NRF is determined according to the indication information carried in the first token request and/or the second token request; or the NRF determines according to other methods that the current first NF request is a token in the proxy subscription scenario.
  • the NRF may carry the identification of the first NF in the first token request, the identification or type of the service provider (that is, the third NF), and/or other information in the first token request in combination with locally configured Policy or authorization information to determine the authority, that is, to determine whether the first NF has the authority to subscribe to the third NF for network function services on behalf of the second NF. If it is determined that the first NF has the authority to subscribe to the network function service from the third NF on behalf of the second NF, the NRF generates the first token.
  • the first token contains the identifiers of the first NF and the second NF.
  • the specific NF identifier may be the NF Instance ID, and/or the URI of the NF, and/or other forms of ID or address information that can uniquely identify the NF .
  • the token may also include an event ID (Event ID(s)), and/or an event list (Event List), and/or a subscription change notification uniform resource identifier (Subscription Change Notification Uniform Resource Identifier), and/or subscription Change Notification Correlation ID (Subscription Change Notification Correlation ID), and/or Subscription Permanent Identifier (SUPI), and/or Group ID (Group ID), and/or General Public Subscription Identifier (Generic Public Subscription Identifier) , GPSI), and/or Permanent Equipment Identifier (PEI), and/or other parameters required for authorization and token generation.
  • Event ID(s) Event ID(s)
  • Event List Event List
  • a subscription change notification uniform resource identifier Subscription Change Notification Uniform Resource Identifier
  • subscription Change Notification Correlation ID Subscription Change Notification Correlation ID
  • SUPI Subscription Permanent Identifier
  • Group ID Group ID
  • General Public Subscription Identifier Generic Public Subscription Identifier
  • GPSI GPSI
  • PEI Permanent Equipment
  • the NRF can also combine the local configuration based on the identity of the second NF carried in the second token request, the identity and/or type of the service provider (that is, the third NF), and/or other information in the second token request. Policy or authorization information to determine the authority, that is, determine whether the second NF has the authority to receive the network function service provided by the third NF. If it is determined that the second NF has the authority to receive the network function service provided by the third NF, the NRF generates a second token.
  • the second token includes the identification of the second NF.
  • the specific NF identification may be the NF Instance ID, and/or the URI of the NF, and/or other forms of ID or address information that can uniquely identify the NF.
  • the token may also include an event ID (Event ID(s)), and/or an event list (Event List), and/or a subscription change notification uniform resource identifier (Subscription Change Notification Uniform Resource Identifier), and/or subscription Change Notification Correlation ID (Subscription Change Notification Correlation ID), and/or Subscription Permanent Identifier (SUPI), and/or Group ID (Group ID), and/or General Public Subscription Identifier (Generic Public Subscription Identifier) , GPSI), and/or Permanent Equipment Identifier (PEI), and/or other parameters required for authorization and token generation.
  • Event ID(s) Event ID(s)
  • Event List Event List
  • a subscription change notification uniform resource identifier Subscription Change Notification Uniform Resource Identifier
  • the NRF ends the process, and the NRF may also send a message to the first NF to indicate the determination result.
  • the NRF sends a token response to the first NF, and the first NF receives the token response from the NRF.
  • the token response carries the first token and the second token. Because the NRF knows that the first NF acts as a proxy for the second NF to subscribe to the third NF for network function services, the NRF only needs to send a token response to the first NF.
  • the token response may also carry the identity of the first NF and the identity of the second NF.
  • NRF can determine the authority of agent subscription and improve the security of agent subscription.
  • the first NF sends a subscription request (subscribe request) to the third NF, and the third NF receives the subscription request from the first NF.
  • the subscription request is used by the first NF to request the proxy of the second NF to subscribe to the network function service from the third NF.
  • the subscription request includes the first token and the second token.
  • the first NF determines that the first NF has the authority to subscribe the network function service to the third NF on behalf of the second NF, and then sends a subscription request to the third NF.
  • the third NF verifies the first token and the second token contained in the subscription request, and if the verification is successful, execute S308; otherwise, the third NF terminates the process, or replies a subscription response to the first NF,
  • the subscription response contains the subscription failure, or token verification failure information, or other information indicating the failure of the process.
  • the verification of the first token is successful, it is determined that the first NF has the authority to subscribe to the third NF for network function services on behalf of the second NF; The permission of the network function service.
  • the content and manner of token verification can be a parameter of the description of the embodiment shown in FIG. 2, which will not be repeated here.
  • the third NF can verify the token through NRF. Specifically, after receiving the subscription request, the third NF sends a verification request to the NRF, and the NRF receives the verification request from the third NF, and verifies the first token and the second token included in the verification request. The NRF replies the verification result to the third NF. If the verification is successful, the third NF executes S308, otherwise the third NF ends the process, or replies a subscription response to the first NF, the subscription response contains the subscription failure, or token verification failure information, or other information indicating that the process failed .
  • the process of verifying the token by the third NF through the NRF can replace S307.
  • S308 to S310 is the same as that of S206 to S208, and will not be repeated here.
  • the second authorization method for proxy subscription can also be applied to roaming scenarios.
  • each NF is located in two different PLMNs.
  • the interaction between NFs is forwarded through the SCP serving it.
  • the first token request sent by the first NF is forwarded by the NRF in the PLMN where the first NF is located to the NRF in the PLMN where the third NF is located.
  • the second token request sent by the second NF is forwarded by the NRF in the PLMN where the second NF is located to the NRF in the PLMN where the third NF is located.
  • the token response sent by the NRF in the PLMN where the third NF is located is forwarded to the first NF by the NRF in the PLMN where the first NF is located.
  • the generation and authorization of the token is completed by the NRF in the PLMN where the third NF is located.
  • the token verification is also completed by the NRF in the PLMN where the third NF is located.
  • Other processing procedures are the same as those described in the second authorization method for proxy subscription.
  • the embodiment of this application provides the third method for authorization of proxy subscription.
  • the third method of authorization for proxy subscription described below is based on the interaction between three network functions.
  • the three network functions include a first NF, a second NF, and a third NF.
  • the process of the third method for authorizing proxy subscription is as follows.
  • the first NF sends a subscription request (subscribe request) to the third NF, and the third NF receives the subscription request from the first NF.
  • the subscription request is used by the first NF to request the proxy of the second NF to subscribe to the third NF for network function services.
  • the subscription request carries the identification of the first NF and the identification of the second NF.
  • S400 is further included before S401.
  • the second NF sends NF information to the first NF, and the first NF receives the NF information from the second NF.
  • the NF information includes the identification of the second NF. For example, the instance ID and/or uniform resource identifier (URI) of the second NF. If the first NF has already configured or stored the information of the second NF, S400 does not need to be executed.
  • URI uniform resource identifier
  • the NF information further includes an event identifier (Event ID(s)), and/or an event list (Event List), and/or a subscription change notification uniform resource identifier (Subscription Change Notification Uniform Resource Identifier), and/ Or subscription change notification related uniform resource identifier (Subscription Change Notification Correlation ID), and/or subscription permanent identifier (Subscription Permanent Identifier, SUPI), and/or group identifier (Group ID), and/or general public subscription identifier (Generic Public Subscription Identifier, GPSI), and/or Permanent Equipment Identifier (PEI).
  • the first NF can obtain the information of the second NF.
  • the identification of the second NF carried in the subscription request in S401 may be derived from S400, or may be pre-configured or stored by the first NF.
  • the third NF performs authorization based on the received subscription request.
  • the authorization operation performed includes: determining whether the first NF has the authority to subscribe network function services to the third NF on behalf of the second NF, and determining whether the second NF has the authority to receive network function services provided by the third NF.
  • the method for determining the authority may be, for example, that the third NF may determine the authority based on information such as the identity of the first NF, the identity of the second NF, and the type of service provider carried in the subscription request, combined with locally configured policies or authorization information.
  • the third NF determines that the second NF has the right to receive the network function service provided by the third NF, S403 is executed, or the third NF determines that the second NF has the right to receive the network function service provided by the third NF, and the first If the NF has the authority to subscribe to the network function service from the third NF on behalf of the second NF, then S403 is executed.
  • the third NF has the authority to provide network function services, and it is determined that the first NF does not have the authority to subscribe to the third NF on behalf of the second NF, or it is determined that the second NF does not have the authority to receive network function services from the third NF.
  • the third NF ends the process, and the third NF may also send to the first NF Message to indicate the determination result.
  • the third NF sends an authorization notification to the second NF, and the second NF receives the authorization notification from the third NF.
  • the authorization notification carries the authorization result, and the authorization notification is used to indicate that the second NF has the right to receive the network function service provided by the third NF.
  • the second NF can save the authorization result in the authorization notification.
  • the third NF sends a subscription response (subscribe response) to the first NF, and the first NF receives the subscription response from the third NF.
  • the subscription response may carry the authorization result, which is used to indicate that the first NF has the authority to subscribe to the third NF for the network function service from the second NF.
  • the third NF may also carry the authorization result in the subscription response.
  • the authorization result includes: the first NF has the authority to subscribe to the third NF for network function services on behalf of the second NF, and the first NF The second NF has the authority to receive the network function service provided by the third NF.
  • the first NF determines that the authorization is successful according to the authorization result carried in the subscription response. Further, the first NF may also notify the second NF of the authorization result. Of course, in the case of performing S403, these operations may also be included.
  • S403 and S404 do not have a strict execution order and can be executed in an exchange order.
  • the third NF provides network function services to the second NF according to the subscribed network function services.
  • the third NF when the subscription condition is met, the third NF sends a notification (notify) to the second NF, and the notification includes the network function service provided by the third NF.
  • the third NF may also send a notification to the first NF, and the notification carries information such as service modification or unsubscription.
  • the third authorization method for proxy subscription can also be applied to roaming scenarios.
  • each NF is located in two different PLMNs.
  • Other processing procedures are the same as those described in the third authorization method for proxy subscription.
  • the third NF determines the authority after receiving the proxy subscription request, which can ensure the security of the proxy subscription.
  • the embodiments of the present application provide the fourth method for authorizing proxy subscription, the fifth method for proxy subscription and the sixth method for proxy subscription.
  • the fourth method of authorization for proxy subscription, the fifth method of authorization for proxy subscription, and the sixth method of authorization for proxy subscription described below are all based on the interaction between five network functions.
  • the five network functions include the first NF, the second NF, the third NF, NRF and SCP.
  • SCP is used to play the role of service call forwarding between NFs, or SCP can independently complete the authorization of requesting services, or SCP can cooperate with NRF to complete the authorization of requesting services.
  • the process of the fourth method for authorizing proxy subscription is as follows. This method uses tokens to ensure the security of proxy subscriptions.
  • the first NF sends a token request to the NRF, and the NRF receives the token request from the first NF.
  • This step is the same as S201, and the detailed description can refer to S201, which will not be repeated here.
  • S500 is also included before S501.
  • the second NF sends NF information to the first NF, and the first NF receives the NF information from the second NF.
  • This step is the same as S200, and the detailed description can refer to S200, which will not be repeated here.
  • the NRF determines whether the second NF has the authority to receive the network function service provided by the third NF based on the received token request.
  • This step is the same as S202.
  • S202 which will not be repeated here.
  • the NRF sends a token response to the first NF, and the first NF receives the token response from the NRF.
  • This step is the same as S203.
  • S203 which will not be repeated here.
  • S501 to S503 is the same as the description of S201 to S203, and you can refer to the related description of one of the authorization methods for proxy subscription.
  • the first NF sends a subscription request (subscribe request) to the SCP, and the SCP receives the subscription request from the first NF.
  • the subscription request is used by the first NF to request the proxy of the second NF to subscribe to the network function service from the third NF.
  • the subscription request includes the above token.
  • the SCP verifies the token included in the subscription request, and if the verification succeeds, then executes S508; otherwise, if the verification fails, the SCP ends the process, or replies to the first NF with a subscription response, and the subscription response contains subscription failure. Or token verification failure information, or other information indicating process failure.
  • the SCP determines that the first NF has the authority to subscribe to the network function service from the third NF on behalf of the second NF, and that the second NF has the authority to receive the network function service provided by the third NF.
  • the verification includes one or more of the following: integrity verification of the token, verification of whether the token is used to indicate that the second NF has the right to receive network function services provided by the third NF, and the verification of the token Effectiveness.
  • the verification fails when any one of the verifications is unsuccessful, and the verification succeeds when all verifications are successful.
  • it is necessary to check whether the subscription request contains the identity of the third NF.
  • it is also necessary to verify whether the identity and/or type of the service producer (service producer) contained in the audience claim in the token is the same as the identity and/or type of the third NF queried by the SCP.
  • the SCP can be configured according to the local configuration.
  • the identity of the third NF can be obtained by querying the information of the third NF, and the identity of the third NF can also be obtained by querying the information obtained from the NRF. It can also verify whether the third NF can provide the subscribed network function service.
  • the network function services that the third NF can provide include service 1, service 2, and service 3.
  • the token indicates that the authorized service is service 4, the verification fails.
  • the token has a validity period. When the token is within the validity period, it is valid. After the validity period, the token becomes invalid. The verification succeeds only when the token is within the validity period. It can also verify whether the information contained in the token is consistent with the corresponding information in the subscription request.
  • SCP can also verify the token through NRF. Specifically, after receiving the subscription request, the SCP sends a verification request to the NRF, and the NRF receives the verification request from the SCP, and verifies the token included in the verification request. NRF returns the verification result to SCP. If the verification is successful, the SCP executes S508; otherwise, the SCP ends the process, or replies a subscription response to the first NF.
  • the subscription response includes subscription failure, or token verification failure information, or other information indicating process failure.
  • the process of calibrating the token through NRF can replace S507.
  • the SCP sends an authorization notification to the second NF, and the second NF receives the authorization notification from the SCP.
  • the authorization notification carries the authorization result, and the authorization notification is used to indicate that the second NF has the right to receive the network function service provided by the third NF.
  • the second NF can save the authorization result in the authorization notification.
  • the authorization notification may also include a token.
  • the second NF learns the authorization result through the token. That is, the second NF learns from the token whether the second NF has the right to receive the network function service provided by the third NF, and it can also be known that the first NF has the right to subscribe to the third NF for the network function service on behalf of the second NF.
  • the SCP sends a subscription request to the third NF, and the third NF receives the subscription request from the SCP.
  • the subscription request carries the information other than the token carried in the subscription request received from the first NF, and may also carry the verification result.
  • the verification result is used to indicate whether the token verification is successful. Or it is used to indicate the authorization result, that is, whether the second NF has the authority to receive network function services provided by the third NF, and whether the first NF has the authority to subscribe network function services to the third NF on behalf of the second NF.
  • the third NF returns a subscription response to the SCP, and the SCP receives the subscription response from the third NF.
  • the SCP sends a subscription response to the first NF, and the first NF receives the subscription response from the SCP.
  • the subscription response may carry the authorization result, which is used to indicate whether the first NF has the authority to subscribe to the third NF for the network function service on behalf of the second NF and whether the second NF has the authority to receive the network function service provided by the third NF.
  • the authorization result is yes, and when the SCP verifies the token unsuccessfully, the authorization result is no.
  • the authorization result is that the first NF has the right to subscribe to the third NF for network function services on behalf of the second NF, and/or the second NF has the right to receive network function services provided by the third NF. If the authorization result is no, it includes that the first NF does not have the authority to subscribe network function services to the third NF on behalf of the second NF, and/or the second NF does not have the authority to receive network function services provided by the third NF.
  • the subscription response may carry the token.
  • the token or authorization result may be further sent to the second NF through the first NF, and S506 is omitted.
  • the third NF provides network function services to the second NF according to the subscribed network function services.
  • the third NF when the subscription condition is met, the third NF sends a notification (notify) to the second NF, and the notification includes the network function service provided by the third NF.
  • the third NF may also send a notification to the first NF through the SCP, and the notification carries information such as service modification or unsubscription. Specifically, the third NF sends a notification to the SCP, and the SCP forwards the notification to the first NF.
  • the fourth authorization method for proxy subscription can also be applied to roaming scenarios.
  • each NF is located in two different PLMNs.
  • the interaction between NFs is forwarded through the SCP serving it.
  • the token request sent by the first NF is forwarded by the NRF in the PLMN where the first NF is located to the NRF in the PLMN where the third NF is located.
  • the token response sent by the NRF in the PLMN where the third NF is located is forwarded to the first NF by the NRF in the PLMN where the first NF is located.
  • the generation and authorization of the token is completed by the NRF in the PLMN where the third NF is located.
  • the token verification is also completed by the NRF in the PLMN where the NF_B is located.
  • the verification of the token is completed by the SCP serving the third NF.
  • Other processing procedures are the same as those described in the fourth authorization method for proxy subscription.
  • the authority is judged by NRF, and the token is verified by SCP to improve the security of proxy subscription.
  • the flow of the fifth method for authorizing proxy subscription is as follows. This method uses two tokens to indicate the authority of the first NF and the third NF respectively, so as to improve the security of the agent subscription process.
  • the first NF sends a notification message to the SCP, and the SCP receives the notification message from the first NF.
  • the SCP forwards the notification message to the second NF, and the second NF receives the notification message from the SCP.
  • the notification message is used to instruct the second NF to request a token. For example, instruct the second NF to send a token request to the NRF to obtain the token.
  • the notification message can carry the following information:
  • the identity of the first NF such as the instance ID and/or URI of the first NF.
  • the notification also carries the type of service producer and/or the identifier and/or type of the service producer.
  • the service provider is the third NF.
  • the notification also carries other parameters required for authorization and token generation.
  • the notification message further includes an event ID (Event ID(s)), and/or an event list (Event List), and/or a subscription change notification uniform resource identifier (Subscription Change Notification Uniform Resource Identifier), and/ Or subscription change notification related uniform resource identifier (Subscription Change Notification Correlation ID), and/or subscription permanent identifier (Subscription Permanent Identifier, SUPI), and/or group identifier (Group ID), and/or general public subscription identifier (Generic Public Subscription Identifier, GPSI), and/or Permanent Equipment Identifier (PEI).
  • the second NF sends a token request to the NRF, and the NRF receives the token request from the second NF.
  • the token request is used to request execution authorization, and the execution authorization process includes: judging whether the second NF has the authority to receive the network function service provided by the third NF.
  • the token request carries the identifier of the service consumer (service consumer), that is, the identifier of the second NF.
  • the identifier of the second NF is carried, such as the instance ID and/or URI of the second NF.
  • the token request also carries the network function service for which subscription is requested, the type of service producer and/or the identifier and/or type of service producer.
  • the service provider is the third party.
  • NF The notification also carries other parameters required for authorization and token generation. Please refer to the relevant description of the parameters included in the second token request in S201, which will not be repeated here.
  • the first NF sends a token request to the NRF, and the NRF receives the token request from the first NF.
  • the token request is used to request execution authorization.
  • the process of performing authorization includes: determining whether the first NF has the authority to send a subscription request to the third NF, for example, whether the first NF has the authority to subscribe to the third NF for network function services on behalf of the second NF.
  • the token request carries the identity of the service consumer (service consumer), that is, the identity of the first NF, and also carries the identity of the second NF, which represents a proxy subscription scenario. For example, it carries the instance ID and/or uniform resource identifier (URI) of the first NF, and the instance ID and/or uniform resource identifier (URI) of the second NF.
  • service consumer that is, the identity of the first NF
  • URI uniform resource identifier
  • URI uniform resource identifier
  • the token request also carries the network function service for which subscription is requested, the type of service producer and/or the identifier and/or type of service producer.
  • the service provider is the third party.
  • NF the notification also carries other parameters required for authorization and token generation. Please refer to the relevant description of the parameters included in the first token request in S201, which will not be repeated here.
  • the token request sent by the first NF to the NRF is recorded as the first token request
  • the token request sent by the second NF to the NRF is recorded as the second token request.
  • both the first token request and the second token request may also carry an indication information, and the indication information is used to indicate the token in the scenario of requesting proxy subscription.
  • the first token request is used to obtain the calling authority of the network function service provided by the third NF. For example, it is requested to obtain whether the first NF has the authority to send a subscription request to the third NF, or whether the first NF has the authority to subscribe network function services to the third NF on behalf of the second NF.
  • the second token request is used to obtain the calling authority of the network function service provided by the third NF. For example, it is requested to obtain whether the second NF has the authority to receive the network function service provided by the third NF.
  • S600 is also included before S601.
  • the NRF determines whether the first NF has the authority to subscribe to the third NF for the network function service on behalf of the second NF, and if so, generates the first token;
  • the NRF determines whether the second NF has the authority to receive the network function service provided by the third NF based on the received second token request, and if so, generates the second token.
  • the first token request received by the NRF from the first NF may also carry an indication information, and the indication information is used to instruct the first NF to subscribe for the network function service from the third NF on behalf of the second NF.
  • the second token request received by the NRF from the second NF may also carry an indication information, and the indication information is used to instruct the first NF to subscribe to the third NF for the network function service on behalf of the second NF.
  • the NRF determines that the current first NF request is the token in the proxy subscription scenario.
  • the NRF may be determined according to the service call name of the first token request and/or the second token request, where the service call name of the token request is different from the service call name of the token request in the prior art;
  • the NRF is determined according to the indication information carried in the first token request and/or the second token request; or the NRF determines according to other methods that the current first NF request is a token in the proxy subscription scenario.
  • the NRF may carry the identification of the first NF in the first token request, the identification or type of the service provider (that is, the third NF), and/or other information in the first token request in combination with locally configured Policy or authorization information to determine the authority, that is, to determine whether the first NF has the authority to subscribe to the third NF for network function services on behalf of the second NF. If it is determined that the first NF has the authority to subscribe to the network function service from the third NF on behalf of the second NF, the NRF generates the first token.
  • the information contained in the first token please refer to the description of the information contained in the first token in S304.
  • the NRF can also determine the authority based on the identity of the second NF carried in the second token request, the type of the service provider (ie the third NF), and the locally configured policy or authorization information, that is, whether the second NF has The authority to receive the network function service provided by the third NF. If it is determined that the second NF has the authority to receive the network function service provided by the third NF, the NRF generates a second token.
  • the information contained in the second token please refer to the description of the information contained in the second token in S304.
  • the NRF ends the process, and the NRF may also send a message to the first NF to indicate the determination result.
  • the NRF sends a token response to the first NF, and the first NF receives the token response from the NRF.
  • the first token response carries the first token and the second token. Because the NRF knows that the first NF acts as a proxy for the second NF to subscribe to the third NF to subscribe to the network function service, the NRF only needs to send a token response to the first NF without responding to the third NF.
  • the first token response may also carry the identification of the first NF and the identification of the second NF.
  • NRF can determine the authority of agent subscription and improve the security of agent subscription.
  • the specific SCP stores the first token and the second token.
  • the first NF sends a subscription request (subscribe request) to the SCP, and the SCP receives the subscription request from the first NF.
  • the subscription request is used by the first NF to request the proxy of the second NF to subscribe to the network function service from the third NF.
  • the subscription request includes the above-mentioned first token and the second token.
  • the SCP verifies the token contained in the subscription request. If the verification is successful, execute S610; otherwise, the third NF ends the process, or sends a subscription response to the first NF, and the subscription response contains subscription failure or token Verification failure information, or other information indicating that the process failed.
  • the verification of the first token is successful, it is determined that the first NF has the authority to subscribe to the third NF for network function services on behalf of the second NF; The permission of the network function service.
  • the content and method of token verification can be a parameter of the description of the embodiment shown in FIG. 5, which will not be repeated here.
  • the SCP can also verify the token through NRF. Specifically, after receiving the subscription request, the SCP sends a verification request to the NRF, and the NRF receives the verification request from the SCP, and verifies the first token and the second token included in the verification request. NRF replies the verification result to SCP. If the verification is successful, the SCP executes S610. Otherwise, the third NF ends the process or replies a subscription response to the first NF.
  • the subscription response includes subscription failure or token verification failure information, or other information indicating process failure.
  • S609 to S613 are the same as S506 to S510, and will not be repeated here.
  • the fifth method of authorization through proxy subscription is implemented in the SCP system architecture.
  • the authority is judged by NRF, the first token and the second token are generated, and the first token and the second token are verified by the SCP. Improve the security of proxy subscriptions.
  • the fifth authorization method for proxy subscription can also be applied to roaming scenarios.
  • each NF is located in two different PLMNs.
  • the token request sent by the first NF is forwarded by the NRF in the PLMN where the first NF is located to the NRF in the PLMN where the third NF is located.
  • the token response sent by the NRF in the PLMN where the third NF is located is forwarded to the first NF by the NRF in the PLMN where the first NF is located.
  • the verification of the token is completed by the SCP serving the third NF. In the way that the SCP can verify the token through the NRF, the token verification is also completed by the NRF in the PLMN where the third NF is located.
  • the other processing procedures are the same as those described in the fifth authorization method for proxy subscription.
  • the process of the sixth method for authorization of proxy subscription provided by the embodiment of the present application is as follows.
  • the design idea of this method is that when SCP receives a subscription request that represents agent subscription, it does not immediately forward it, first consults NRF for authorization, or judges whether to authorize itself, and decides whether to forward the subscription request according to the authorization result. This helps to improve the security of the agent subscription process.
  • the first NF sends a subscription request to the SCP, and the SCP receives the subscription request from the first NF.
  • the subscription request is used by the first NF to request the proxy of the second NF to subscribe to the network function service from the third NF. Please refer to the relevant description of S204 for the parameters included in the subscription request.
  • S700 is also included before S701.
  • the second NF sends NF information to the first NF, and the first NF receives the NF information from the second NF.
  • This step is the same as S700.
  • S200 which will not be repeated here.
  • the SCP sends an authorization request to the NRF, and the NRF receives the authorization request from the SCP.
  • the authorization request is used to ask the NRF whether the second NF has the right to receive the network function service provided by the third NF, and whether the first NF has the right to subscribe to the third NF for the network function service on behalf of the second NF.
  • the authorization request refer to the relevant description of the parameters contained in the token request in S201.
  • the NRF performs authorization based on the received authorization request.
  • the NRF can determine whether the first NF has the authority to subscribe to the third NF for network function services on behalf of the second NF, and determine whether the second NF has the authority to receive network function services provided by the third NF.
  • the method for judging the authority may be, for example, the NRF may combine the local identity according to the identity of the first NF, the identity of the second NF, the identity and/or type of the service provider, and/or other information in the authorization request carried in the authorization request. Configure the policy or authorization information to determine the authority.
  • the NRF sends an authorization response to the SCP, and the SCP receives the authorization response from the NRF.
  • the authorization response is used to respond to the authorization request of S702.
  • the authorization response carries the authorization result of the authorization judgment.
  • the authorization result is that the authorization is successful, which means that the first NF has the authority to subscribe network function services to the third NF on behalf of the second NF, and the second NF has the authority to receive network function services provided by the third NF.
  • S704 is executed. Otherwise, the NRF process ends, or the NRF returns a response containing authorization failure to the SCP.
  • S702 to S704 can be omitted, and the authorization is judged through the SCP. That is, after the SCP receives the subscription request, based on the subscription request, it determines whether the first NF has the authority to subscribe network function services to the third NF as an agent for the second NF and whether the second NF has the ability to receive network function services provided by the third NF. Permission to obtain authorization results.
  • the SCP judges whether to forward the subscription request according to the authorization response, or sends a subscription rejection message.
  • S706 is executed.
  • the SCP sends a subscription rejection message to the first NF.
  • the subscription rejection message indicates that the first NF acts as a proxy for the second NF to subscribe the network function service to the third NF.
  • the SCP sends an authorization notification to the second NF, and the second NF receives the authorization notification from the SCP.
  • the authorization notification carries the authorization result.
  • the authorization result includes: the second NF has the right to receive network function services provided by the third NF, and may also include that the first NF has the right to subscribe to the third NF for network function services on behalf of the second NF .
  • the second NF can save the authorization result in the authorization notification.
  • the SCP sends a subscription request to the third NF, and the third NF receives the subscription request from the SCP.
  • the subscription request carries the information carried in the subscription request received from the first NF, and may also carry the authorization result.
  • the authorization result is used to indicate whether the second NF has the right to receive the network function service provided by the third NF, and/or whether the first NF has the right to subscribe to the third NF for the network function service on behalf of the second NF.
  • the third NF returns a subscription response to the SCP, and the SCP receives the subscription response from the third NF.
  • the SCP sends a subscription response to the first NF, and the first NF receives the subscription response from the SCP.
  • the subscription response may carry the authorization result, which is used to indicate whether the first NF has the authority to subscribe to the third NF for the network function service by proxying the second NF.
  • the third NF provides network function services to the second NF according to the subscribed network function services.
  • the third NF when the subscription condition is met, the third NF sends a notification (notify) to the second NF, and the notification includes the network function service provided by the third NF.
  • the third NF may also send a notification to the first NF through the SCP, and the notification carries information such as service modification or unsubscription. Specifically, the third NF sends a notification to the SCP, and the SCP forwards the notification to the first NF.
  • the sixth authorization method for proxy subscription can also be applied to roaming scenarios.
  • each NF is located in two different PLMNs.
  • the interaction between NFs is forwarded through the SCP serving it.
  • the subscription request sent by the first NF is forwarded by the SCP serving the first NF to the SCP serving the third NF.
  • the subscription response sent by the SCP serving the third NF is sent to the first NF by the SCP serving the first NF.
  • the authorization (that is, the judgment of authority) is completed by the NRF in the PLMN where the third NF is located.
  • the authorization verification (S705) is completed by the SCP serving the third NF, and when the authorization mode is determined through the SCP, it is completed by the SCP in the PLMN where the third NF is located.
  • Other processing procedures are the same as those described in the sixth authorization method for proxy subscription.
  • the embodiments described below involve interactions between multiple NFs, and the multiple NFs include a first NF, a third NF, and an NRF.
  • the first NF corresponds to the aforementioned NF_A
  • the third NF corresponds to the aforementioned NF_B.
  • the first NF subscribes to the third NF, and then the third NF sends a service notification to the first NF.
  • the network function service provided by the service provider or service producer in this application may also be referred to as service for short.
  • the seventh authorization method for proxy subscription below is based on the interaction between three network functions, including the first NF, NRF, and third NF.
  • the process of the seventh method for authorization of proxy subscription provided by the embodiment of the present application is as follows.
  • the first NF sends a token request to the NRF, and the NRF receives the token request from the first NF.
  • This token request is used to request execution authorization.
  • the process of performing authorization includes: determining whether the first NF has the authority to send a subscription request to the third NF.
  • the token request carries the identifier of the service consumer (service consumer), that is, the identifier of the first NF.
  • service consumer the identifier of the first NF.
  • the instance ID and/or the uniform resource identifier (URI) of the first NF are carried.
  • the token request may also carry the network function service for which the subscription is requested, the type of service producer and/or the service producer's identifier.
  • the service provider is the third NF.
  • the instance ID and/or uniform resource identifier (URI) of the third NF are carried, and/or the type of the third NF (NF type).
  • the token request can also carry an event ID (Event ID(s)), and/or an event list (Event List), and/or a subscription change notification uniform resource identifier (Subscription Change Notification Uniform Resource Identifier), and/or subscription Change Notification Correlation ID (Subscription Change Notification Correlation ID), and/or Subscription Permanent Identifier (SUPI), and/or Group ID (Group ID), and/or General Public Subscription Identifier (Generic Public Subscription Identifier) , GPSI), and/or Permanent Equipment Identifier (PEI).
  • the token request may also carry other parameters required for authorization and token generation.
  • the token request may also carry an indication information, which is used to indicate that the first NF is requesting a token in a subscription scenario, that is, indicating that the NRF needs to determine whether the first NF has the ability to send to the third NF. Permission to subscribe to the request.
  • the NRF generates a token based on the received token request.
  • the NRF first determines according to the token request that what the first NF requests is the token in the subscription scenario. Specifically, the NRF can be determined according to the service call name of the token request; or, the NRF can be determined according to the indication information carried in the token request; or, the NRF can be determined according to the parameters carried in the token request (such as URI, Event ID(s), etc.); or the NRF determines according to other methods that the current first NF request is the token in the subscription scenario.
  • the NRF can combine the local configuration according to the identification of the first NF carried in the token request, the identification and/or type of the service provider (that is, the third NF), and/or other information in the token request.
  • the policy or authorization information to determine the authority.
  • the NRF determines that the first NF has the right to subscribe to the network function service from the third NF, it generates a token.
  • the generated token includes the first NF identifier, and the specific NF identifier may be the NF Instance ID, and/or the URI of the NF, and/or other forms of ID or address information that can uniquely identify the NF.
  • the token may also include an event ID (Event ID(s)), and/or an event list (Event List), and/or a subscription change notification uniform resource identifier (Subscription Change Notification Uniform Resource Identifier), and/or subscription Change Notification Correlation ID (Subscription Change Notification Correlation ID), and/or Subscription Permanent Identifier (SUPI), and/or Group ID (Group ID), and/or General Public Subscription Identifier (Generic Public Subscription Identifier) , GPSI), and/or Permanent Equipment Identifier (PEI), and/or other parameters required for authorization and token generation.
  • Event ID(s) Event ID(s)
  • Event List Event List
  • a subscription change notification uniform resource identifier Subscribescription Change Notification Uniform Resource Identifier
  • This application does not restrict how the token carries the identity of the first NF and other information in the token.
  • the token may also carry an indication information, the indication information is used to indicate that the token is a token in a subscription scenario, for example, the indication information is used to indicate that the first NF subscribes to the third NF Network function service.
  • the procedure is ended, and a message may also be sent to the first NF to indicate the determination result.
  • the NRF sends a token response to the first NF, and the first NF receives the token response from the NRF.
  • the token response is used to respond to the token request in S1001.
  • the token response carries the token generated by NRF.
  • the token is used to indicate that the first NF has the right to subscribe to the network function service from the third NF.
  • NRF can determine the subscription authority and improve the security of subscription.
  • the first NF sends a subscription request (subscribe request) to the third NF, and the third NF receives the subscription request from the first NF.
  • the subscription request is used by the first NF to request the proxy of the second NF to subscribe to the network function service from the third NF.
  • the subscription request includes the aforementioned token, the instance ID of the first NF and/or the uniform resource identifier (URI).
  • the subscription request may also carry the network function service for which the subscription is requested, the type of service producer, and/or the identifier of the service producer.
  • the service provider is the third NF.
  • the instance ID and/or uniform resource identifier (URI) of the third NF are carried, and/or the type of the third NF (NF type).
  • the subscription request may also carry an event ID (Event ID(s)), and/or an event list (Event List), and/or a subscription change notification uniform resource identifier (Subscription Change Notification Uniform Resource Identifier), and/or subscription Change Notification Correlation ID (Subscription Change Notification Correlation ID), and/or Subscription Permanent Identifier (SUPI), and/or Group ID (Group ID), and/or General Public Subscription Identifier (Generic Public Subscription Identifier) , GPSI), and/or Permanent Equipment Identifier (PEI).
  • Event ID(s) Event ID
  • Event List Event List
  • a subscription change notification uniform resource identifier Subscription Change Notification Uniform Resource Identifier
  • subscription Change Notification Correlation ID Subscription Change Notification Correlation ID
  • SUPI Subscription Permanent Identifier
  • Group ID Group ID
  • General Public Subscription Identifier Generic Public Subscription Identifier
  • GPSI GlobalI
  • Permanent Equipment Identifier PKI
  • the first NF determines that the first NF has the right to subscribe to the network function service from the third NF, and then sends a subscription request to the third NF.
  • the third NF verifies the token included in the subscription request, and if the verification succeeds, then executes S1006; otherwise, if the token verification fails, the third NF ends the process or sends a subscription response to the first NF ,
  • the subscription response contains subscription failure, or token verification failure information, or other information indicating that the process failed.
  • the third NF determines that the first NF has the right to subscribe to the third NF for network function services.
  • the token verification includes one or more of the following: integrity verification of the token, verification of whether the token is used to indicate that the first NF has the right to subscribe to the network function service of the third NF, and the verification token Effectiveness.
  • the verification fails when any one of the verifications is unsuccessful, and the verification succeeds when all verifications are successful.
  • it is necessary to check whether the subscription request contains the identity of the third NF. It is also necessary to verify whether the identifier and/or type of the service producer (service producer) included in the Audience Claim in the token is the same as the identifier and/or type of the third NF. It can also verify whether the third NF can provide the network function service in the subscription request.
  • the network function services that the third NF can provide include service 1, service 2, and service 3.
  • the token indicates that the authorized service is service 4
  • the verification fails.
  • the token has a validity period. When the token is within the validity period, it is valid. After the validity period, the token becomes invalid.
  • the verification succeeds only when the token is within the validity period. It can also verify whether the information contained in the token is consistent with the corresponding information in the subscription request.
  • the third NF may verify the token through NRF. Specifically, after receiving the subscription request, the third NF sends a verification request to the NRF. The NRF receives the verification request from the third NF, and verifies the token contained in the verification request. The NRF replies the verification result to the third NF. If the verification is successful, the third NF executes S1006. Otherwise, the third NF process ends, or a subscription response is replies to the first NF, and the subscription response includes subscription failure or token verification failure information, or other information indicating that the process fails.
  • NRF when NRF verifies the token, in addition to the above-mentioned token verification, it can also verify whether the token is consistent with the stored token, or whether the token is consistent with the first NF The token contained in the sent token response is consistent. If they are consistent, the verification is successful, otherwise the verification fails. Consistency means that the information indicated by the instruction board is the same.
  • the process of verifying the token through NRF can replace S1005.
  • the third NF sends a subscription response (subscribe response) to the first NF, and the first NF receives the subscription response from the third NF.
  • the subscription response may carry the authorization result, which is used to indicate that the first NF has the authority to subscribe to the network function service from the third NF on behalf of the second NF; or, the third NF carries a token of successful verification in the subscription response.
  • the first NF determines that the authorization is successful according to the token carried in the subscription response or the authorization result.
  • the third NF provides network function services to the first NF according to the subscribed network function services.
  • the third NF when the subscription condition is met, the third NF sends a notification (notify) to the first NF, and the notification includes the network function service provided by the third NF.
  • the third NF may also send a notification to the first NF, and the notification carries information such as service modification or unsubscription.
  • the seventh subscription authorization method can also be applied to roaming scenarios.
  • each NF is located in two different public land mobile networks (PLMN).
  • PLMN public land mobile networks
  • the interaction between NFs is forwarded through the SCP serving it.
  • the token request sent by the first NF is forwarded by the NRF in the PLMN where the first NF is located to the NRF in the PLMN where the third NF is located.
  • the token response sent by the NRF in the PLMN where the third NF is located is forwarded to the first NF by the NRF in the PLMN where the first NF is located.
  • the generation and authorization of the token is completed by the NRF in the PLMN where the third NF is located.
  • the token verification is also completed by the NRF in the PLMN where the third NF is located.
  • Other processing procedures are the same as those described in one of the authorization methods for proxy subscription.
  • the embodiment of this application provides the eighth subscription authorization method.
  • the eighth method of subscription authorization described below is based on the interaction between four network functions.
  • the four network functions include the first NF, the third NF, NRF and SCP.
  • the network function service provided by the service provider or service producer in this application may also be referred to as service for short.
  • SCP is used to play the role of service call forwarding between NFs, or SCP can independently complete the authorization of requesting services, or SCP can cooperate with NRF to complete the authorization of requesting services.
  • the process of the eighth method for authorization of subscription provided in the embodiment of the present application is as follows. This method uses tokens to ensure the security of the subscription.
  • the first NF sends a token request to the NRF, and the NRF receives the token request from the first NF.
  • the NRF generates a token based on the received token request.
  • the NRF sends a token response to the first NF, and the first NF receives the token response from the NRF.
  • S1101 to S1103 is the same as the description of S1001 to S1003. You can refer to the related description of the seventh authorization method for proxy subscription.
  • the first NF sends a subscription request (subscribe request) to the SCP, and the SCP receives the subscription request from the first NF.
  • the subscription request is used by the first NF to request the proxy of the second NF to subscribe to the network function service from the third NF.
  • the subscription request includes the above token.
  • the SCP verifies the token contained in the subscription request. If the verification succeeds, then executes S1106; otherwise, if the verification fails, the SCP ends the process or replies to the first NF with a subscription response, and the subscription response contains subscription failure. Or token verification failure information, or other information indicating process failure.
  • the SCP determines that the first NF has the right to subscribe to the network function service from the third NF.
  • the verification includes one or more of the following: integrity verification of the token, verification of whether the token is used to indicate that the first NF has the right to subscribe to the network function service from the third NF, and the validity of the verification token Sex.
  • the verification fails when any one of the verifications is unsuccessful, and the verification succeeds when all verifications are successful.
  • it is necessary to check whether the subscription request contains the identity of the third NF.
  • it is also necessary to verify whether the identity and/or type of the service producer (service producer) contained in the audience claim in the token is the same as the identity and/or type of the third NF queried by the SCP.
  • the SCP can be configured according to the local configuration.
  • the identity of the third NF can be obtained by querying the information of the third NF, and the identity of the third NF can also be obtained by querying the information obtained from the NRF. It can also verify whether the third NF can provide the subscribed network function service.
  • the network function services that the third NF can provide include service 1, service 2, and service 3.
  • the token indicates that the authorized service is service 4, the verification fails.
  • the token has a validity period. When the token is within the validity period, it is valid. After the validity period, the token becomes invalid. The verification succeeds only when the token is within the validity period. It can also verify whether the information contained in the token is consistent with the corresponding information in the subscription request.
  • the seventh authorization method similar to subscription can also verify the token through NRF. Specifically, after receiving the subscription request, the SCP sends a verification request to the NRF, and the NRF receives the verification request from the SCP, and verifies the token included in the verification request. NRF returns the verification result to SCP. If the verification is successful, the SCP executes S1106; otherwise, the SCP ends the process, or replies a subscription response to the first NF.
  • the subscription response includes subscription failure, token verification failure information, or other information indicating process failure.
  • the process of calibrating the token through NRF can replace S1105.
  • the SCP sends a subscription request to the third NF, and the third NF receives the subscription request from the SCP.
  • the subscription request carries the information carried in the subscription request received from the first NF, and may also carry the verification result.
  • the verification result is used to indicate whether the token verification is successful. Or it is used to indicate the authorization result, that is, whether the first NF has the right to subscribe to the network function service from the third NF.
  • the third NF returns a subscription response to the SCP, and the SCP receives the subscription response from the third NF.
  • the SCP sends a subscription response to the first NF, and the first NF receives the subscription response from the SCP.
  • the subscription response may carry the authorization result, which is used to indicate whether the first NF has the right to subscribe to the network function service from the third NF.
  • the authorization result is yes; when the SCP verification token is unsuccessful, the authorization result is no.
  • the authorization result is yes, including that the first NF has the right to subscribe to the network function service from the third NF.
  • the authorization result is no, including that the first NF does not have the right to subscribe to the network function service from the third NF.
  • the subscription response may carry the token.
  • the third NF provides network function services to the first NF according to the subscribed network function services.
  • the third NF when the subscription condition is met, the third NF sends a notification (notify) to the first NF through the SCP, and the notification includes the network function service provided by the third NF.
  • the third NF may also send a notification to the first NF through the SCP, and the notification carries information such as service modification or unsubscription. Specifically, the third NF sends a notification to the SCP, and the SCP forwards the notification to the first NF.
  • the eighth subscription authorization method can also be applied to roaming scenarios.
  • each NF is located in two different PLMNs.
  • the interaction between NFs is forwarded through the SCP serving it.
  • the token request sent by the first NF is forwarded by the NRF in the PLMN where the first NF is located to the NRF in the PLMN where the third NF is located.
  • the token response sent by the NRF in the PLMN where the third NF is located is forwarded to the first NF by the NRF in the PLMN where the first NF is located.
  • the generation and authorization of the token is completed by the NRF in the PLMN where the third NF is located.
  • the token verification is also completed by the NRF in the PLMN where the NF_B is located.
  • the verification of the token is completed by the SCP serving the third NF.
  • the other processing procedures are the same as those described in the eighth subscribing authorization method.
  • the authority is judged through NRF, and the SCP performs token verification, which improves the security of agent subscription.
  • an embodiment of the present application also provides an authorization device 800 for proxy subscription.
  • the device 800 includes a receiving unit 801 and a processing unit 802, and also includes a sending unit 803.
  • the device 800 can be applied to NRF or NRF, and the device 800 can perform the operations performed by the NRF in the authorization method of each proxy subscription.
  • the receiving unit 801 is configured to receive a token request from the first network function NF
  • the processing unit 802 is configured to generate a token based on the token request.
  • the receiving unit 801 is further configured to receive a verification request from the third NF.
  • the processing unit 802 is also used to verify the second token.
  • the sending unit 803 is used for the NRF to send messages to other functions.
  • the device 800 may also be applied to the first NF, and may also be the first NF, and the device 800 may perform the operations performed by the first NF in the authorization method for each proxy subscription.
  • the sending unit 803 is configured to send a token request to the network function storage function NRF, and the token request is used to request the NRF to generate a token.
  • the receiving unit 801 is configured to receive a token from the NRF.
  • the device 800 may also be applied to a third NF, or may be a third NF, and the device 800 may perform operations performed by the third NF in the authorization method of each proxy subscription.
  • the receiving unit 801 is configured to receive a subscription request from the first NF, and the subscription request carries a token.
  • the processing unit 802 is configured to verify the token included in the subscription request to obtain a verification result.
  • the sending unit 803 is configured to send a subscription response to the first NF, where the subscription response carries the verification result.
  • an embodiment of the present application also provides an authorization device 900 for proxy subscription.
  • the proxy subscription authorization device 900 is used to implement each proxy provided in the foregoing embodiment.
  • the operations performed by the NRF, the first NF, the second NF, the third NF, or the SCP in the subscription authorization method are for brief description.
  • the schematic diagrams of the above-mentioned possible physical devices for each function are illustrated by referring to FIG. 9. It can be understood that Fig. 9 is only a schematic diagram, which can be applied to the various functions described above.
  • the authorization device 900 for proxy subscription includes a transceiver 901, a processor 902, and may also include a memory 903.
  • the processor 902 is used to call a set of programs. When the programs are executed, the processor 902 executes the NRF, the first NF, the second NF, the third NF, or the SCP in the authorization method for each proxy subscription provided in the above embodiment. operating.
  • the memory 903 is used to store programs executed by the processor 902.
  • the sending unit and the receiving unit of the functional module in FIG. 8 may be implemented by the transceiver 901, and the processing unit may be implemented by the processor 902.
  • the processor 902 may be a central processing unit (CPU), a network processor (NP), or a combination of a CPU and an NP.
  • CPU central processing unit
  • NP network processor
  • the processor 902 may further include a hardware chip.
  • the aforementioned hardware chip may be an application-specific integrated circuit (ASIC), a programmable logic device (PLD) or a combination thereof.
  • ASIC application-specific integrated circuit
  • PLD programmable logic device
  • the above-mentioned PLD may be a complex programmable logic device (CPLD), a field-programmable gate array (FPGA), a generic array logic (GAL) or any combination thereof.
  • CPLD complex programmable logic device
  • FPGA field-programmable gate array
  • GAL generic array logic
  • the memory 903 may include a volatile memory (volatile memory), such as a random-access memory (random-access memory, RAM); the memory 903 may also include a non-volatile memory (non-volatile memory), such as a flash memory (flash memory). memory), a hard disk drive (HDD) or a solid-state drive (SSD); the memory 903 may also include a combination of the foregoing types of memories.
  • volatile memory such as a random-access memory (random-access memory, RAM
  • non-volatile memory such as a flash memory (flash memory).
  • flash memory flash memory
  • HDD hard disk drive
  • SSD solid-state drive
  • part or all of the operations and functions performed by the described functional entities (or functions) may be completed by chips or integrated circuits.
  • an embodiment of the present application further provides a chip, including a processor, for supporting the device to implement the functions involved in the method provided in the foregoing embodiment.
  • the chip is connected to a memory or the chip includes a memory, and the memory is used to store the necessary program instructions and data of the device.
  • the embodiment of the present application provides a computer storage medium storing a computer program, and the computer program includes instructions for executing the method provided in the foregoing embodiment.
  • the embodiments of the present application provide a computer program product containing instructions, which when run on a computer, cause the computer to execute the method provided in the foregoing embodiments.
  • the embodiments of the present application can be provided as methods, systems, or computer program products. Therefore, the present application may adopt the form of a complete hardware embodiment, a complete software embodiment, or an embodiment combining software and hardware. Moreover, this application may adopt the form of a computer program product implemented on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program codes.
  • a computer-usable storage media including but not limited to disk storage, CD-ROM, optical storage, etc.
  • These computer program instructions can also be stored in a computer-readable memory that can guide a computer or other programmable data processing equipment to work in a specific manner, so that the instructions stored in the computer-readable memory produce an article of manufacture including the instruction device.
  • the device implements the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.
  • These computer program instructions can also be loaded on a computer or other programmable data processing equipment, so that a series of operation steps are executed on the computer or other programmable equipment to produce computer-implemented processing, so as to execute on the computer or other programmable equipment.
  • the instructions provide steps for implementing functions specified in a flow or multiple flows in the flowchart and/or a block or multiple blocks in the block diagram.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The present application provides a proxy subscription authorization method and device, used for improving the security of a proxy subscription process. The method comprises: a network repository function (NRF) receiving a token request from a first network function (NF), said token request comprising the identity of the first NF and the identity of the second NF; the NRF generating a first token on the basis of the token request, said first token being used for indicating that the first NF has the authority to subscribe network function services from the third NF on behalf of the second NF, and is used for indicating that the second NF has the authority to receive a network function service provided by the third NF; the NRF sending the first token to the first NF.

Description

一种代理订阅的授权方法及装置Authorization method and device for proxy subscription 技术领域Technical field
本申请实施例涉及通信技术领域,尤其涉及一种代理订阅的授权方法及装置。The embodiments of the present application relate to the field of communication technology, and in particular, to an authorization method and device for proxy subscription.
背景技术Background technique
第五代移动通信系统(the fifth generation,5G)采用服务化架构(service based architecture,SBA)。第三代合作伙伴计划(3rd generation partnership project,3GPP)还提出了服务化架构增强(enhancement of service based architecture,eSBA)。在SBA或者eSBA中,核心网内各网络功能(network fuction,NF)之间的通信采用服务调用的方式。例如,两个NF之间采用“订阅-通知”的交互方式。NF_A向NF_B订阅服务,在满足相应条件之后NF_B向NF_A通知相关服务。The fifth generation mobile communication system (the fifth generation, 5G) adopts a service-based architecture (SBA). The 3rd generation partnership project (3GPP) also proposed enhancement of service-based architecture (eSBA). In SBA or eSBA, the communication between network functions (network fuction, NF) in the core network adopts a service invocation method. For example, a "subscription-notification" interaction method is adopted between two NFs. NF_A subscribes services to NF_B, and NF_B notifies NF_A of related services after the corresponding conditions are met.
另外,SBA或者eSBA架构还支持代理订阅。在代理订阅场景下,NF_A还可以代表NF_C向NF_B订阅服务,在满足相应条件之后NF_B直接向NF_C通知相关服务。在代理订阅场景下,服务的订阅、修改和取消订阅均由NF_A代表NF_C完成,NF_C仅接收NF_B的服务通知。In addition, SBA or eSBA architecture also supports proxy subscriptions. In the proxy subscription scenario, NF_A can also subscribe to NF_B on behalf of NF_C, and NF_B directly notifies NF_C of related services after the corresponding conditions are met. In the proxy subscription scenario, service subscription, modification and cancellation are all done by NF_A on behalf of NF_C, and NF_C only receives service notifications from NF_B.
但是在代理订阅场景下如何保证代理订阅的安全性是需要解决的问题。However, how to ensure the security of proxy subscription in the proxy subscription scenario is a problem that needs to be resolved.
发明内容Summary of the invention
本申请实施例提供一种代理订阅的授权方法及装置,用以解决在代理订阅场景下如何保证代理订阅的安全性的问题。The embodiment of the present application provides a proxy subscription authorization method and device to solve the problem of how to ensure the security of proxy subscription in the proxy subscription scenario.
第一方面,提供一种代理订阅的授权方法,该方法可以通过网络功能存储功能NRF来执行,该方法包括以下步骤:网络功能存储功能NRF从第一网络功能NF接收令牌请求,所述令牌请求包括所述第一NF的标识和所述第二NF的标识;所述NRF基于所述令牌请求生成第一令牌,所述第一令牌用于指示所述第一NF具有代理所述第二NF向所述第三NF订阅网络功能服务的权限,以及用于指示第二NF具有接收第三NF提供的网络功能服务的权限;所述NRF向所述第一NF发送所述第一令牌。通过NRF在代理订阅场景下,对代理订阅的两个服务请求者的权限进行授权判断,并通过令牌进行指示,这样能够有助于保证代理订阅场景下的代理订阅的安全性。In a first aspect, a proxy subscription authorization method is provided, which can be executed by a network function storage function NRF, and the method includes the following steps: the network function storage function NRF receives a token request from a first network function NF, and the command The card request includes the identity of the first NF and the identity of the second NF; the NRF generates a first token based on the token request, and the first token is used to indicate that the first NF has a proxy The second NF has the right to subscribe to the network function service from the third NF, and is used to indicate that the second NF has the right to receive the network function service provided by the third NF; the NRF sends the The first token. In the proxy subscription scenario, NRF is used to authorize and judge the permissions of the two service requesters subscribed by the proxy, and indicate through the token, which can help ensure the security of proxy subscription in the proxy subscription scenario.
在一个可能的设计中,NRF从第一网络功能NF接收令牌请求;所述NRF基于所述令牌请求执行授权,若授权成功,则向所述第一NF发送第一令牌;其中,所述授权包括:判断所述第一NF是否具有代理所述第二NF向所述第三NF订阅网络功能服务的权限,以及,判断第二NF是否具有接收第三NF提供的网络功能服务的权限。通过NRF在代理订阅场景下,对代理订阅的两个服务请求者的权限进行授权判断,并通过令牌进行指示,这样能够有助于保证代理订阅场景下的代理订阅的安全性。In a possible design, the NRF receives a token request from the first network function NF; the NRF performs authorization based on the token request, and if the authorization is successful, sends the first token to the first NF; wherein, The authorization includes: determining whether the first NF has the authority to subscribe network function services from the third NF on behalf of the second NF, and determining whether the second NF has the authority to receive network function services provided by the third NF Permissions. In the proxy subscription scenario, NRF is used to authorize and judge the permissions of the two service requesters subscribed by the proxy, and indicate through the token, which can help ensure the security of proxy subscription in the proxy subscription scenario.
在一个可能的设计中,所述令牌请求包括第一指示信息,所述指示信息用于指示所述 第一NF代理所述第二NF向所述第三NF订阅网络功能服务;以使所述NRF根据指示信息确定需要生成用于所述第一令牌。In a possible design, the token request includes first indication information, and the indication information is used to instruct the first NF to subscribe to the third NF for the network function service on behalf of the second NF; The NRF determines according to the indication information that it needs to be generated for the first token.
在一个可能的设计中,所述第一令牌包括所述第二NF的标识,用于第三NF验证令牌成功后,确定第二NF的信息。In a possible design, the first token includes an identifier of the second NF, which is used to determine the information of the second NF after the third NF successfully verifies the token.
在一个可能的设计中,所述第一令牌包括所述第二指示信息,用于指示向所述第三NF指示:所述第一令牌为所述第一NF代理所述第二NF向所述第三NF订阅网络功能服务。In a possible design, the first token includes the second indication information, which is used to indicate to the third NF that the first token is the first NF to proxy the second NF Subscribe to the third NF for network function services.
在一个可能的设计中,所述第一令牌用于指示所述第一NF具有代理所述第二NF向所述第三NF订阅网络功能服务的权限,以及用于指示第二NF具有接收第三NF提供的网络功能服务的权限。通过令牌来表征权限。In a possible design, the first token is used to indicate that the first NF has the authority to subscribe to the third NF for network function services on behalf of the second NF, and is used to indicate that the second NF has the right to receive The authority of the network function service provided by the third NF. Tokens are used to characterize permissions.
在一个可能的设计中,所述NRF从所述第三NF接收校验请求,所述校验请求中包括第二令牌,所述校验请求用于请求对所述第二令牌进行校验;所述NRF对所述第二令牌进行校验,并向所述第三NF返回校验结果。这里的第三NF为服务提供者,NRF可以向服务提供者提供的令牌进行校验,进一步保证代理订阅的安全性。In a possible design, the NRF receives a verification request from the third NF, the verification request includes a second token, and the verification request is used to request verification of the second token. Verification; The NRF verifies the second token and returns a verification result to the third NF. The third NF here is the service provider, and NRF can verify the token provided by the service provider to further ensure the security of proxy subscription.
在一个可能的设计中,所述校验包括以下一项或多项:对所述第二令牌进行完整性校验、校验所述第二令牌是否用于指示所述第二NF具有接收所述第三NF提供的网络功能服务的权限、校验所述第二令牌的有效性、校验令牌中包含的服务提供者的标识是否与所述第三NF的标识相同、以及校验所述第二令牌是否与所述第一令牌一致。In a possible design, the verification includes one or more of the following: performing integrity verification on the second token, and verifying whether the second token is used to indicate that the second NF has Receiving the authority of the network function service provided by the third NF, verifying the validity of the second token, verifying whether the identity of the service provider contained in the token is the same as the identity of the third NF, and Check whether the second token is consistent with the first token.
第二方面,提供一种代理订阅的授权方法,该方法可以通过第一网络功能NF来执行,该方法包括以下步骤:第一网络功能NF向网络功能存储功能NRF发送令牌请求,所述令牌请求包括所述第一NF的标识和所述第二NF的标识;所述第一NF从所述NRF接收令牌,所述令牌用于指示所述第一NF具有代理所述第二NF向所述第三NF订阅网络功能服务的权限,以及用于指示第二NF具有接收第三NF提供的网络功能服务的权限。通过第一NF在代理订阅场景下,向NRF请求对代理订阅的服务请求者进行授权判断,并通过令牌指示,能够有助于保证代理订阅场景下的代理订阅的安全性。In a second aspect, a proxy subscription authorization method is provided. The method can be executed by a first network function NF. The method includes the following steps: the first network function NF sends a token request to the network function storage function NRF, and the command The card request includes the identity of the first NF and the identity of the second NF; the first NF receives a token from the NRF, and the token is used to indicate that the first NF has a proxy for the second NF. The NF has the right to subscribe to the network function service from the third NF, and is used to indicate that the second NF has the right to receive the network function service provided by the third NF. In the proxy subscription scenario, the first NF requests the NRF to perform authorization judgment on the service requester subscribed by the proxy, and indicates through the token, which can help ensure the security of the proxy subscription in the proxy subscription scenario.
在一个可能的设计中,第一网络功能NF向网络功能存储功能NRF发送令牌请求,所述令牌请求用于请求所述NRF执行授权,所述授权包括:判断所述第一NF是否具有代理所述第二NF向所述第三NF订阅网络功能服务的权限,以及,判断第二NF是否具有接收第三NF提供的网络功能服务的权限;所述第一NF从所述NRF接收令牌。通过第一NF在代理订阅场景下,向NRF请求对代理订阅的服务请求者进行授权判断,并通过令牌指示,能够有助于保证代理订阅场景下的代理订阅的安全性。In a possible design, the first network function NF sends a token request to the network function storage function NRF, the token request is used to request the NRF to perform authorization, and the authorization includes: determining whether the first NF has Acting for the second NF to subscribe to the third NF for the right to subscribe to the network function service, and to determine whether the second NF has the right to receive the network function service provided by the third NF; the first NF receives the order from the NRF brand. In the proxy subscription scenario, the first NF requests the NRF to perform authorization judgment on the service requester subscribed by the proxy, and indicates through the token, which can help ensure the security of the proxy subscription in the proxy subscription scenario.
在一个可能的设计中,所述令牌请求包括所述第一NF的标识和所述第二NF的标识。通过两个服务请求者的标识能够表征代理订阅场景。In a possible design, the token request includes the identification of the first NF and the identification of the second NF. The identification of the two service requesters can represent the proxy subscription scenario.
在一个可能的设计中,所述令牌请求包括第一指示信息,所述第一指示信息用于指示所述第一NF代理所述第二NF向所述第三NF订阅网络功能服务。通过该指示信息表征代理订阅场景。In a possible design, the token request includes first indication information, and the first indication information is used to instruct the first NF to proxy the second NF to subscribe to the third NF for network function services. The proxy subscription scenario is characterized by the indication information.
在一个可能的设计中,所述令牌包括所述第二NF的标识,用于第三NF验证token成功后,确定第二NF的信息。In a possible design, the token includes the identifier of the second NF, and is used for determining the information of the second NF after the third NF successfully verifies the token.
在一个可能的设计中,第一令牌包括所述第二指示信息,用于指示所述第三NF,所述第一令牌为所述第一NF代理所述第二NF向所述第三NF订阅网络功能服务。In a possible design, the first token includes the second indication information for indicating the third NF, and the first token is the proxy of the second NF to the first NF for the first NF. Three NFs subscribe to network function services.
在一个可能的设计中,所述令牌用于指示所述第一NF具有代理所述第二NF向所述第三NF订阅网络功能服务的权限,以及用于指示第二NF具有接收第三NF提供的网络功能服务的权限。通过令牌来表征权限。In a possible design, the token is used to indicate that the first NF has the authority to subscribe network function services from the third NF on behalf of the second NF, and is used to indicate that the second NF has the right to receive third The authority of network function services provided by NF. Tokens are used to characterize permissions.
在一个可能的设计中,所述第一NF向所述第三NF发送订阅请求,所述订阅请求中携带所述令牌。通过在订阅请求中携带令牌,来指示该代理订阅场景下两个服务请求者是具有权限的。In a possible design, the first NF sends a subscription request to the third NF, and the subscription request carries the token. By carrying the token in the subscription request, it indicates that the two service requesters in the proxy subscription scenario are authorized.
在一个可能的设计中,所述第一NF从所述第三NF接收订阅响应,所述订阅响应中携带所述令牌或授权结果,所述授权结果包括:所述第二NF具有接收所述第三NF提供的网络功能服务的权限,以及所述第一NF具有代理所述第二NF向所述第三NF订阅网络功能服务的权限。如果订阅响应中携带令牌,能够表征该订阅请求中携带的令牌是通过校验的或者校验成功的。如果订阅响应中携带授权结果,可以表征此次代理订阅的服务请求者已经完成授权。进一步的,第一NF在收到令牌或授权结果后,还可以向第三NF转发该令牌或授权结果,以达到向第二NF通知授权是否成功的信息的目的。In a possible design, the first NF receives a subscription response from the third NF, the subscription response carries the token or authorization result, and the authorization result includes: the second NF has the The authority of the network function service provided by the third NF, and the authority of the first NF to subscribe the network function service from the third NF on behalf of the second NF. If the subscription response carries the token, it can indicate that the token carried in the subscription request has passed the verification or the verification succeeded. If the subscription response carries the authorization result, it can indicate that the service requester subscribed by the proxy has completed the authorization. Further, after receiving the token or authorization result, the first NF may also forward the token or authorization result to the third NF, so as to achieve the purpose of notifying the second NF of whether the authorization is successful.
在一个可能的设计中,所述第一NF从所述第三NF接收通知,所述通知中携带所述令牌或授权结果,所述授权结果包括所述第一NF具有代理所述第二NF向所述第三NF订阅网络功能服务的权限,以及所述第二NF具有接收所述第三NF提供的网络功能服务的权限。如果通知中携带令牌,能够表征该订阅请求中携带的令牌是通过校验的或者校验成功的。如果通知中携带授权结果,可以表征此次代理订阅的服务请求者已经完成授权。进一步的,第一NF在收到令牌或授权结果后,还可以向第三NF转发该令牌或授权结果,以达到向第二NF通知授权是否成功的信息的目的。In a possible design, the first NF receives a notification from the third NF, and the notification carries the token or authorization result, and the authorization result includes that the first NF has a proxy for the second NF. The NF has the right to subscribe to the network function service from the third NF, and the second NF has the right to receive the network function service provided by the third NF. If the notification carries a token, it can indicate that the token carried in the subscription request passed the verification or the verification succeeded. If the notification carries the authorization result, it can indicate that the service requester subscribed by the agent has completed the authorization. Further, after receiving the token or authorization result, the first NF may also forward the token or authorization result to the third NF, so as to achieve the purpose of notifying the second NF of whether the authorization is successful.
第三方面,提供一种代理订阅的授权方法,该方法可以通过第三网络功能NF来执行,该方法包括以下步骤:第三网络功能NF从第一NF接收订阅请求,所述订阅请求中携带令牌;所述第三NF对所述订阅请求中包含的令牌进行校验,获得校验结果,其中,若校验成功,则所述第一NF具有代理所述第二NF向所述第三NF订阅网络功能服务的权限,以及所述第二NF具有接收所述第三NF提供的网络功能服务的权限;若校验不成功,则所述第一NF不具有代理所述第二NF向所述第三NF订阅网络功能服务的权限,以及所述第二NF不具有接收所述第三NF提供的网络功能服务的权限;所述第三NF向所述第一NF发送订阅响应,所述订阅响应中携带所述校验结果。通过第三NF在接收到订阅请求后,根据订阅请求中携带的令牌确定是代理订阅场景,并对该令牌进行校验,能够进一步提高代理订阅场景的授权效果,保证代理订阅的安全性。In a third aspect, a proxy subscription authorization method is provided. The method can be executed by a third network function NF. The method includes the following steps: the third network function NF receives a subscription request from the first NF, and the subscription request carries Token; the third NF verifies the token contained in the subscription request to obtain a verification result, wherein, if the verification is successful, the first NF has the agent of the second NF to the The third NF has the right to subscribe to the network function service, and the second NF has the right to receive the network function service provided by the third NF; if the verification is unsuccessful, the first NF does not have the authority to proxy the second NF The NF has the right to subscribe to the network function service from the third NF, and the second NF does not have the right to receive the network function service provided by the third NF; the third NF sends a subscription response to the first NF , The subscription response carries the verification result. After the third NF receives the subscription request, it is determined according to the token carried in the subscription request that it is a proxy subscription scenario, and the token is verified, which can further improve the authorization effect of the proxy subscription scenario and ensure the security of proxy subscription .
在一个可能的设计中,所述令牌中携带所述第二NF的标识。用于第三NF验证token成功后,确定第二NF的信息。In a possible design, the token carries the identity of the second NF. After the token is successfully verified by the third NF, the information of the second NF is determined.
在一个可能的设计中,所述第三NF在校验成功时,从所述令牌中获取所述第二NF的标识。In a possible design, the third NF obtains the identity of the second NF from the token when the verification succeeds.
在一个可能的设计中,所述令牌携带指示信息,所述指示信息用于指示所述第一NF代理所述第二NF向所述第三NF订阅网络功能服务,这样,第三NF能够获知,第一令牌为所述第一NF代理所述第二NF向所述第三NF订阅网络功能服务的令牌。In a possible design, the token carries indication information, and the indication information is used to instruct the first NF to subscribe to the third NF for the network function service on behalf of the second NF, so that the third NF can It is learned that the first token is a token used by the first NF to subscribe the network function service from the third NF on behalf of the second NF.
在一个可能的设计中,所述第三NF在校验成功时向所述第二NF发送授权通知,所述授权通知包含授权结果,所述授权结果包括所述第二NF具有接收所述第三NF提供的网络功能服务的权限。通过授权通知能够向第二NF传递授权的结果。In a possible design, the third NF sends an authorization notification to the second NF when the verification succeeds, the authorization notification includes an authorization result, and the authorization result includes that the second NF has received the first 3. Permission of network function services provided by NF. The authorization notification can convey the authorization result to the second NF.
在一个可能的设计中,所述校验包括以下一项或多项:对所述令牌进行完整性校验、校验所述令牌是否用于指示第二NF具有接收第三NF提供的网络功能服务的权限、校验所述令牌的有效性、校验令牌中包含的服务提供者的标识是否与所述第三NF的标识相同、以及校验所述令牌与所述第三NF存储的令牌是否一致。In a possible design, the verification includes one or more of the following: performing integrity verification on the token, and verifying whether the token is used to indicate that the second NF has received the information provided by the third NF. Network function service authority, verify the validity of the token, verify whether the identity of the service provider contained in the token is the same as the identity of the third NF, and verify that the token and the first Whether the tokens stored in the three NFs are consistent.
在一个可能的设计中,所述订阅请求中还携带所述第一NF的标识和所述第二NF的标识。能够通过两个服务请求者的标识来表征本次订阅请求为代理订阅场景。In a possible design, the subscription request also carries the identifier of the first NF and the identifier of the second NF. The identification of the two service requesters can be used to characterize the subscription request as a proxy subscription scenario.
在一个可能的设计中,所述订阅响应中还携带所述令牌或授权结果,所述授权结果包括第一NF具有代理所述第二NF向所述第三NF订阅网络功能服务的权限以及所述第二NF具有接收所述第三NF提供的网络功能服务的权限。如果订阅响应中携带令牌,能够表征该订阅请求中携带的令牌是通过校验的或者校验成功的。如果订阅响应中携带授权结果,可以表征此次代理订阅的服务请求者已经完成授权。进一步的,第一NF在收到令牌或授权结果后,还可以向第三NF转发该令牌或授权结果,以达到向第二NF通知授权是否成功的信息的目的。In a possible design, the subscription response also carries the token or authorization result, and the authorization result includes that the first NF has the authority to subscribe network function services from the third NF on behalf of the second NF, and The second NF has the right to receive the network function service provided by the third NF. If the subscription response carries the token, it can indicate that the token carried in the subscription request has passed the verification or the verification succeeded. If the subscription response carries the authorization result, it can indicate that the service requester subscribed by the proxy has completed the authorization. Further, after receiving the token or authorization result, the first NF may also forward the token or authorization result to the third NF, so as to achieve the purpose of notifying the second NF of whether the authorization is successful.
在一个可能的设计中,所述第三NF向所述第一NF发送通知,所述通知中携带所述令牌或授权结果,所述授权结果包括第一NF具有代理所述第二NF向所述第三NF订阅网络功能服务的权限以及所述第二NF具有接收所述第三NF提供的网络功能服务的权限。如果通知中携带令牌,能够表征该订阅请求中携带的令牌是通过校验的或者校验成功的。如果通知中携带授权结果,可以表征此次代理订阅的服务请求者已经完成授权。进一步的,第一NF在收到令牌或授权结果后,还可以向第三NF转发该令牌或授权结果,以达到向第二NF通知授权是否成功的信息的目的。In a possible design, the third NF sends a notification to the first NF, and the notification carries the token or the authorization result, and the authorization result includes that the first NF has a proxy for the second NF to The third NF has the right to subscribe to the network function service and the second NF has the right to receive the network function service provided by the third NF. If the notification carries a token, it can indicate that the token carried in the subscription request passed the verification or the verification succeeded. If the notification carries the authorization result, it can indicate that the service requester subscribed by the agent has completed the authorization. Further, after receiving the token or authorization result, the first NF may also forward the token or authorization result to the third NF, so as to achieve the purpose of notifying the second NF of whether the authorization is successful.
第四方面,提供一种代理订阅系统,该系统包括:第一网络功能NF和NRF。其中,第一网络功能NF,用于向网络功能存储功能NRF发送令牌请求,所述令牌请求包括所述第一NF的标识和所述第二NF的标识;所述NRF,用于从所述第一NF接收所述令牌请求,基于所述令牌请求,生成令牌并向所述第一NF发送令牌,所述令牌用于指示所述第一NF是否具有代理所述第二NF向所述第三NF订阅网络功能服务的权限,以及用于指示所述第二NF是否具有接收第三NF提供的网络功能服务的权限。通过第一NF在代理订阅场景下,向NRF请求对代理订阅的服务请求者进行授权判断,通过第一NF在代理订阅场景下,向NRF请求对代理订阅的服务请求者进行授权判断,通过NRF在代理订阅场景下,对代理订阅的两个服务请求者的权限进行授权判断,并通过令牌进行指示,这样能够有助于保证代理订阅场景下的代理订阅的安全性。In a fourth aspect, a proxy subscription system is provided. The system includes: first network functions NF and NRF. Wherein, the first network function NF is used to send a token request to the network function storage function NRF, and the token request includes the identity of the first NF and the identity of the second NF; the NRF is used to receive The first NF receives the token request, generates a token based on the token request, and sends a token to the first NF, where the token is used to indicate whether the first NF has a proxy for the The second NF has the right to subscribe to the network function service from the third NF, and is used to indicate whether the second NF has the right to receive the network function service provided by the third NF. Through the first NF in the proxy subscription scenario, request the NRF to authorize the service requester subscribed by the proxy, and in the proxy subscription scenario through the first NF, request the NRF to perform authorization judgment on the service requester subscribed by the proxy, through NRF In the proxy subscription scenario, the authorization judgment is made on the permissions of the two service requesters subscribed by the proxy, and the token is used to indicate, which can help ensure the security of the proxy subscription in the proxy subscription scenario.
在一个可能的设计中,第一网络功能NF,用于向网络功能存储功能NRF发送令牌请求,所述令牌请求包括所述第一NF的标识和所述第二NF的标识;所述NRF,用于从所述第一NF接收所述令牌请求,基于所述令牌请求,执行授权,若授权成功,则向所述第一NF发送令牌;其中,所述授权包括:判断所述第一NF是否具有代理所述第二NF向所述第三NF订阅网络功能服务的权限,以及判断第二NF是否具有接收第三NF提供的网络功能服务的权限。通过第一NF在代理订阅场景下,向NRF请求对代理订阅的服务请求者进行授权判断,通过第一NF在代理订阅场景下,向NRF请求对代理订阅的服务请求者进行授权判断,通过NRF在代理订阅场景下,对代理订阅的两个服务请求者的权限进行授权判断,并通过令牌进行指示,这样能够有助于保证代理订阅场景下的代理订阅的安全性。In a possible design, the first network function NF is used to send a token request to the network function storage function NRF, where the token request includes the identity of the first NF and the identity of the second NF; NRF is used to receive the token request from the first NF, perform authorization based on the token request, and if the authorization is successful, send a token to the first NF; wherein the authorization includes: judgment Whether the first NF has the authority to subscribe network function services to the third NF on behalf of the second NF, and whether the second NF has the authority to receive network function services provided by the third NF. Through the first NF in the proxy subscription scenario, request the NRF to authorize the service requester subscribed by the proxy, and in the proxy subscription scenario through the first NF, request the NRF to perform authorization judgment on the service requester subscribed by the proxy, through NRF In the proxy subscription scenario, the authorization judgment is made on the permissions of the two service requesters subscribed by the proxy, and the token is used to indicate, which can help ensure the security of the proxy subscription in the proxy subscription scenario.
在一个可能的设计中,所述令牌请求包括第一指示信息,所述第一指示信息用于指示所述第一NF代理所述第二NF向所述第三NF订阅网络功能服务;以使所述NRF根据指示信息确定需要生成所述令牌。In a possible design, the token request includes first indication information, and the first indication information is used to instruct the first NF to subscribe for the network function service from the third NF on behalf of the second NF; Make the NRF determine according to the instruction information that the token needs to be generated.
在一个可能的设计中,所述第一NF还用于向所述第三NF发送订阅请求,所述订阅请求中携带所述令牌。通过在订阅请求中携带令牌,来指示该代理订阅场景下两个服务请求者是具有权限的。In a possible design, the first NF is further configured to send a subscription request to the third NF, and the subscription request carries the token. By carrying the token in the subscription request, it indicates that the two service requesters in the proxy subscription scenario are authorized.
在一个可能的设计中,所述令牌包括所述第二NF的标识,用于第三NF验证token成功后,确定第二NF的信息。In a possible design, the token includes the identifier of the second NF, and is used for determining the information of the second NF after the third NF successfully verifies the token.
在一个可能的设计中,包括所述第二指示信息,所述第二指示信息用于指示所述第一NF代理所述第二NF向所述第三NF订阅网络功能服务。In a possible design, the second indication information is included, and the second indication information is used to instruct the first NF to subscribe for the network function service from the third NF on behalf of the second NF.
在一个可能的设计中,所述系统还包括所述第三NF,所述第三NF用于从所述第一NF接收订阅请求,对所述订阅请求中携带的令牌进行校验,获得校验结果;其中,若校验成功,则所述第一NF具有代理所述第二NF向所述第三NF订阅网络功能服务的权限,以及所述第二NF具有接收所述第三NF提供的网络功能服务的权限;若校验不成功,则所述第一NF不具有代理所述第二NF向所述第三NF订阅网络功能服务的权限,以及所述第二NF不具有接收所述第三NF提供的网络功能服务的权限。通过第三NF在接收到订阅请求后,根据订阅请求中携带的令牌确定是代理订阅场景,并对该令牌进行校验,能够进一步提高代理订阅场景的授权效果,保证代理订阅的安全性。In a possible design, the system further includes the third NF, and the third NF is configured to receive a subscription request from the first NF, and verify the token carried in the subscription request to obtain The verification result; wherein, if the verification is successful, the first NF has the authority to subscribe to the third NF for network function services on behalf of the second NF, and the second NF has the right to receive the third NF The authority of the provided network function service; if the verification is unsuccessful, the first NF does not have the authority to subscribe to the third NF for the network function service on behalf of the second NF, and the second NF does not have the authority to receive The authority of the network function service provided by the third NF. After the third NF receives the subscription request, it is determined according to the token carried in the subscription request that it is a proxy subscription scenario, and the token is verified, which can further improve the authorization effect of the proxy subscription scenario and ensure the security of proxy subscription .
在一个可能的设计中,所述第三NF还用于向所述第一NF发送订阅响应,所述订阅响应中携带所述令牌或授权结果;所述授权结果包括第一NF具有代理所述第二NF向所述第三NF订阅网络功能服务的权限以及所述第二NF具有接收所述第三NF提供的网络功能服务的权限;所述第一NF,还用于从所述第三NF接收所述订阅响应。In a possible design, the third NF is also used to send a subscription response to the first NF, and the subscription response carries the token or authorization result; the authorization result includes that the first NF has a proxy The second NF has the right to subscribe to the network function service from the third NF and the second NF has the right to receive the network function service provided by the third NF; the first NF is also used to subscribe from the third NF The three NFs receive the subscription response.
在一个可能的设计中,所述第三NF还用于在校验成功时向所述第二NF发送授权通知,所述授权通知包含授权结果,所述授权结果包括所述第二NF具有接收所述第三NF提供的网络功能服务的权限。所述第二NF还用于从所述第三NF接收所述授权通知。如果订阅响应中携带令牌,能够表征该订阅请求中携带的令牌是通过校验的或者校验成功的。如果订阅响应中携带授权结果,可以表征此次代理订阅的服务请求者已经完成授权。进一步的,第一NF在收到令牌或授权结果后,还可以向第三NF转发该令牌或授权结果,以达到向第二NF通知授权是否成功的信息的目的。In a possible design, the third NF is further configured to send an authorization notification to the second NF when the verification succeeds, the authorization notification includes an authorization result, and the authorization result includes that the second NF has received The authority of the network function service provided by the third NF. The second NF is also used to receive the authorization notification from the third NF. If the subscription response carries the token, it can indicate that the token carried in the subscription request has passed the verification or the verification succeeded. If the subscription response carries the authorization result, it can indicate that the service requester subscribed by the proxy has completed the authorization. Further, after receiving the token or authorization result, the first NF may also forward the token or authorization result to the third NF, so as to achieve the purpose of notifying the second NF of whether the authorization is successful.
在一个可能的设计中,所述校验包括以下一项或多项:对所述令牌进行完整性校验、校验所述令牌是否用于指示第二NF具有接收第三NF提供的网络功能服务的权限、校验所述令牌的有效性、校验令牌中包含的服务提供者的标识是否与所述第三NF的标识相同、以及校验所述令牌与所述第三NF存储的令牌是否一致。In a possible design, the verification includes one or more of the following: performing integrity verification on the token, and verifying whether the token is used to indicate that the second NF has received the information provided by the third NF. Network function service authority, verify the validity of the token, verify whether the identity of the service provider contained in the token is the same as the identity of the third NF, and verify that the token and the first Whether the tokens stored in the three NFs are consistent.
在一个可能的设计中,所述第三NF还用于向所述第一NF发送通知,所述通知中携带所述令牌或授权结果,所述授权结果包括所述第二NF具有接收第一NF具有代理所述第二NF向所述第三NF订阅网络功能服务的权限以及所述第三NF提供的网络功能服务的权限;所述第一NF还用于从所述第三NF接收所述通知。如果通知中携带令牌,能够表征该订阅请求中携带的令牌是通过校验的或者校验成功的。如果通知中携带授权结果,可以表征此次代理订阅的服务请求者已经完成授权。进一步的,第一NF在收到令牌或授 权结果后,还可以向第三NF转发该令牌或授权结果,以达到向第二NF通知授权是否成功的信息的目的。In a possible design, the third NF is also used to send a notification to the first NF, and the notification carries the token or authorization result, and the authorization result includes that the second NF has a receiving first An NF has the authority to subscribe network function services to the third NF on behalf of the second NF and the authority to subscribe network function services provided by the third NF; the first NF is also used to receive from the third NF The notice. If the notification carries a token, it can indicate that the token carried in the subscription request passed the verification or the verification succeeded. If the notification carries the authorization result, it can indicate that the service requester subscribed by the agent has completed the authorization. Further, after receiving the token or authorization result, the first NF may also forward the token or authorization result to the third NF, so as to achieve the purpose of notifying the second NF of whether the authorization is successful.
在一个可能的设计中,所述令牌请求包括所述第一NF的标识和所述第二NF的标识。通过两个服务请求者的标识能够表征代理订阅场景。In a possible design, the token request includes the identification of the first NF and the identification of the second NF. The identification of the two service requesters can represent the proxy subscription scenario.
第五方面,提供一种代理订阅的授权方法,该方法的执行主体可以是服务通信代理SCP,该方法可以通过以下步骤执行:SCP从第一网络功能NF接收订阅请求,所述订阅请求用于所述第一NF请求代理第二NF向第三NF订阅网络功能服务;所述SCP确定所述第二NF具有接收所述第三NF提供的网络功能服务的权限;所述SCP向所述第二NF发送授权通知,所述授权通知用于指示所述第二NF具有接收第三NF提供的网络功能服务的权限。通过SCP在代理订阅场景下,对代理订阅的两个服务请求者的权限进行判断,这样能够有助于保证代理订阅场景下的代理订阅的安全性。In a fifth aspect, a proxy subscription authorization method is provided. The execution subject of the method may be a service communication agent SCP. The method may be executed by the following steps: SCP receives a subscription request from a first network function NF, and the subscription request is used for The first NF requests the proxy second NF to subscribe to the third NF for network function services; the SCP determines that the second NF has the authority to receive the network function services provided by the third NF; The second NF sends an authorization notification, where the authorization notification is used to indicate that the second NF has the right to receive the network function service provided by the third NF. In the proxy subscription scenario, the SCP is used to judge the permissions of the two service requesters subscribed by the proxy, which can help ensure the security of the proxy subscription in the proxy subscription scenario.
在一个可能的设计中,所述订阅请求包括一个或多个令牌;所述SCP确定所述第二NF具有接收所述第三NF提供的网络功能服务的权限,通过以下方式实现:所述SCP基于所述一个或多个令牌,确定第二NR具有接收第三NF提供的网络功能服务的权限。一个令牌可以指示第一NF具有代理所述第二NF向所述第三NF订阅网络功能服务的权限,以及第二NF具有接收第三NF提供的网络功能服务的权限。多个令牌例如可以是两个令牌,这样一个令牌用于指示第一NF具有代理所述第二NF向所述第三NF订阅网络功能服务的权限,另一个令牌用于指示第二NF具有接收第三NF提供的网络功能服务的权限。In a possible design, the subscription request includes one or more tokens; the SCP determines that the second NF has the right to receive the network function service provided by the third NF, which is implemented in the following manner: Based on the one or more tokens, the SCP determines that the second NR has the right to receive the network function service provided by the third NF. One token may indicate that the first NF has the authority to subscribe network function services to the third NF on behalf of the second NF, and the second NF has the authority to receive network function services provided by the third NF. The multiple tokens may be, for example, two tokens. Such a token is used to indicate that the first NF has the authority to subscribe to the third NF on behalf of the second NF, and the other token is used to indicate the third NF. The second NF has the right to receive the network function service provided by the third NF.
在一个可能的设计中,所述SCP对所述令牌进行校验;所述校验包括以下一项或多项:对令牌进行完整性校验、校验令牌是否用于指示第二NF具有接收第三NF提供的网络功能服务的权限、校验令牌的有效性。当任意一项校验不成功时校验失败,当所有校验成功时校验成功。具体的,需要校验订阅请求中是否包含第三NF的标识。还需要校验令牌中audience claim中包含的服务提供者(service producer)的标识是否与SCP查询到的第三NF的标识相同。具体的,SCP可以根据本地配置的信息查询得到第三NF的标识,也可以根据从NRF获取的信息查询得到第三NF的标识。还可以校验第三NF是否能够提供订阅的网络功能服务。In a possible design, the SCP verifies the token; the verification includes one or more of the following: integrity verification of the token, verification of whether the token is used to indicate the second The NF has the authority to receive the network function service provided by the third NF and verify the validity of the token. The verification fails when any one of the verifications is unsuccessful, and the verification succeeds when all verifications are successful. Specifically, it is necessary to check whether the subscription request contains the identity of the third NF. It is also necessary to verify whether the identifier of the service producer (service producer) included in the audience claim in the token is the same as the identifier of the third NF queried by the SCP. Specifically, the SCP can obtain the identity of the third NF by querying based on locally configured information, and can also obtain the identity of the third NF by querying based on the information obtained from the NRF. It can also verify whether the third NF can provide the subscribed network function service.
在一个可能的设计中,若校验成功,则SCP向所述第二NF发送授权通知,所述授权通知包括授权结果,所述授权结果包括第一NF具有代理第二NF向第三NF订阅网络功能服务的权限,以及第二NF具有接收第三NF提供的网络功能服务的权限。或者,若校验成功,则SCP向所述第二NF发送令牌,通过令牌指示第一NF具有代理第二NF向第三NF订阅网络功能服务的权限,以及第二NF具有接收第三NF提供的网络功能服务的权限。In a possible design, if the verification is successful, the SCP sends an authorization notification to the second NF, the authorization notification includes the authorization result, and the authorization result includes that the first NF has a proxy for the second NF to subscribe to the third NF The authority of the network function service, and the second NF has the authority to receive the network function service provided by the third NF. Or, if the verification is successful, the SCP sends a token to the second NF, indicating through the token that the first NF has the authority to subscribe network function services to the third NF on behalf of the second NF, and that the second NF has the right to receive the third NF. The authority of network function services provided by NF.
在一个可能的设计中,所述一个或多个令牌包括第一令牌和第二令牌;所述第一令牌用于指示所述第一NF具有代理所述第二NF向所述第三NF订阅网络功能服务的权限;所述第二令牌用于指示所述第二NF具有接收所述第三NF提供的网络功能服务的权限。In a possible design, the one or more tokens include a first token and a second token; the first token is used to indicate that the first NF has proxy for the second NF to the The third NF has the right to subscribe to the network function service; the second token is used to indicate that the second NF has the right to receive the network function service provided by the third NF.
在一个可能的设计中,所述SCP确定所述第二NF具有接收所述第三NF提供的网络功能服务的权限,通过以下方式实现:所述SCP向NRF发送授权请求;所述SCP从所述NRF接收所述授权请求的响应,所述响应用于指示所述第二NF具有接收所述第三NF提供的网络功能服务的权限。通过NRF执行授权判断,在将授权结果返回给SCP,能够提高代理订阅场景下的安全性。In a possible design, the SCP determines that the second NF has the authority to receive network function services provided by the third NF, which is implemented in the following manner: the SCP sends an authorization request to the NRF; The NRF receives a response to the authorization request, where the response is used to indicate that the second NF has the right to receive the network function service provided by the third NF. Performing authorization judgment through NRF and returning the authorization result to SCP can improve the security in the proxy subscription scenario.
第六方面,提供一种代理订阅的授权方法,该方法可以通过第三网络功能NF来执行,该方法包括:第三NF从第一NF接收订阅请求,所述订阅请求用于所述第一NF代理第二NF向第三NF订阅网络功能服务;所述第三NF确定所述第二NF具有接收所述第三NF提供的网络功能服务的权限;所述第三NF向所述第二NF发送授权通知,所述授权通知用于指示所述第二NF具有接收第三NF提供的网络功能服务的权限。通过第三NF对订阅请求中的两个服务请求者的权限进行判断,能够提高代理订阅的安全性。In a sixth aspect, an authorization method for proxy subscription is provided. The method can be executed by a third network function NF. The method includes: the third NF receives a subscription request from the first NF, and the subscription request is used for the first NF. The NF acts for the second NF to subscribe to the third NF for network function services; the third NF determines that the second NF has the authority to receive the network function services provided by the third NF; the third NF subscribes to the second NF The NF sends an authorization notification, where the authorization notification is used to indicate that the second NF has the right to receive the network function service provided by the third NF. Judging the authority of the two service requesters in the subscription request through the third NF can improve the security of proxy subscription.
在一个可能的设计中,所述第三NF判断第一NF是否具有代理所述第二NF向所述第三NF订阅网络功能服务的权限,以及判断所述第二NF是否具有接收所述第三NF提供的网络功能服务的权限,在两个判断结果都为是的情况下,第三NF获得的授权结果为是。In a possible design, the third NF determines whether the first NF has the authority to subscribe network function services to the third NF on behalf of the second NF, and determines whether the second NF has the right to receive the first NF. For the authority of the network function service provided by the third NF, if both of the judgment results are yes, the authorization result obtained by the third NF is yes.
在一个可能的设计中,所述订阅请求包含一个或多个令牌;所述第三NF对所述订阅请求中包含的令牌进行校验,在校验成功时,确定所述第二NF具有接收所述第三NF提供的网络功能服务的权限,其中,所述校验包括以下一项或多项:对令牌进行完整性校验、校验令牌是否用于指示第二NF具有接收第三NF提供的网络功能服务的权限、校验令牌的有效性。当任意一项校验不成功时校验失败,当所有校验成功时校验成功。具体的,需要校验订阅请求中是否包含第三NF的标识。In a possible design, the subscription request includes one or more tokens; the third NF verifies the tokens included in the subscription request, and when the verification succeeds, determines the second NF Have the authority to receive network function services provided by the third NF, wherein the verification includes one or more of the following: integrity verification of the token, and verification of whether the token is used to indicate that the second NF has Receive the authority of the network function service provided by the third NF and verify the validity of the token. The verification fails when any one of the verifications is unsuccessful, and the verification succeeds when all verifications are successful. Specifically, it is necessary to check whether the subscription request contains the identity of the third NF.
在一个可能的设计中,所述订阅请求包含第一令牌和第二令牌;所述第一令牌用于指示所述第一NF具有代理所述第二NF向所述第三NF订阅网络功能服务的权限;所述第二令牌用于指示所述第二NF具有接收所述第三NF提供的网络功能服务的权限。In a possible design, the subscription request includes a first token and a second token; the first token is used to indicate that the first NF has a proxy for the second NF to subscribe to the third NF The authority of the network function service; the second token is used to indicate that the second NF has the authority to receive the network function service provided by the third NF.
第七方面,提供一种代理订阅的授权装置,该装置具有实现上述第一方面和第一方面的任一种可能的设计中NRF行为的功能。所述功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。所述硬件或软件包括一个或多个与上述功能相对应的模块。In a seventh aspect, an authorization device for proxy subscription is provided, which has the function of realizing the NRF behavior in any possible design of the first aspect and the first aspect. The function can be realized by hardware, or by hardware executing corresponding software. The hardware or software includes one or more modules corresponding to the above-mentioned functions.
在一个可能的设计中,该装置可以是芯片或者集成电路。In one possible design, the device can be a chip or an integrated circuit.
在一个可能的设计中,该装置包括存储器和处理器,存储器存储有一组程序,处理器用于执行存储器存储的程序,当程序被执行时,所述装置可以执行上述第一方面和第一方面的任一种可能的设计中所述的方法。In a possible design, the device includes a memory and a processor, the memory stores a set of programs, and the processor is used to execute the programs stored in the memory. When the programs are executed, the device can execute the first aspect and the first aspect. Any of the possible designs described in the method.
在一个可能的设计中,该装置还包括收发器,用于该装置与其它功能之间进行通信。In a possible design, the device also includes a transceiver for communication between the device and other functions.
在一个可能的设计中,该装置为NRF。In one possible design, the device is NRF.
第八方面,提供一种代理订阅的授权装置,该装置具有实现上述第二方面和第二方面的任一种可能的设计中第一NF行为的功能。所述功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。所述硬件或软件包括一个或多个与上述功能相对应的模块。In an eighth aspect, an authorization device for proxy subscription is provided, which has the function of implementing the first NF behavior in any possible design of the second aspect and the second aspect. The function can be realized by hardware, or by hardware executing corresponding software. The hardware or software includes one or more modules corresponding to the above-mentioned functions.
在一个可能的设计中,该装置可以是芯片或者集成电路。In one possible design, the device can be a chip or an integrated circuit.
在一个可能的设计中,该装置包括存储器和处理器,存储器存储有一组程序,处理器用于执行存储器存储的程序,当程序被执行时,所述装置可以执行上述第二方面和第二方面的任一种可能的设计中所述的方法。In a possible design, the device includes a memory and a processor, the memory stores a set of programs, and the processor is used to execute the programs stored in the memory. When the programs are executed, the device can execute the second aspect and the second aspect. Any of the possible designs described in the method.
在一个可能的设计中,该装置还包括收发器,用于该装置与其它功能之间进行通信。In a possible design, the device also includes a transceiver for communication between the device and other functions.
在一个可能的设计中,该装置为NF。In one possible design, the device is NF.
第九方面,提供一种代理订阅的授权装置,该装置具有实现上述第三方面和第三方面的任一种可能的设计中第三NF行为的功能。所述功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。所述硬件或软件包括一个或多个与上述功能相对应的模块。In a ninth aspect, an authorization device for proxy subscription is provided. The device has the function of realizing the third NF behavior in any possible design of the third aspect and the third aspect. The function can be realized by hardware, or by hardware executing corresponding software. The hardware or software includes one or more modules corresponding to the above-mentioned functions.
在一个可能的设计中,该装置可以是芯片或者集成电路。In one possible design, the device can be a chip or an integrated circuit.
在一个可能的设计中,该装置包括存储器和处理器,存储器存储有一组程序,处理器用于执行存储器存储的程序,当程序被执行时,所述装置可以执行上述第三方面和第三方面的任一种可能的设计中所述的方法。In a possible design, the device includes a memory and a processor. The memory stores a set of programs. The processor is used to execute the programs stored in the memory. When the programs are executed, the device can execute the third aspect and the third aspect. Any of the possible designs described in the method.
在一个可能的设计中,该装置还包括收发器,用于该装置与其它功能之间进行通信。In a possible design, the device also includes a transceiver for communication between the device and other functions.
在一个可能的设计中,该装置为NF。In one possible design, the device is NF.
第十方面,提供一种代理订阅的授权装置,该装置具有实现上述第五方面和第五方面的任一种可能的设计中SCP行为的功能。所述功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。所述硬件或软件包括一个或多个与上述功能相对应的模块。In a tenth aspect, an authorization device for proxy subscription is provided, which has the function of realizing SCP behavior in any possible design of the fifth aspect and the fifth aspect. The function can be realized by hardware, or by hardware executing corresponding software. The hardware or software includes one or more modules corresponding to the above-mentioned functions.
在一个可能的设计中,该装置可以是芯片或者集成电路。In one possible design, the device can be a chip or an integrated circuit.
在一个可能的设计中,该装置包括存储器和处理器,存储器存储有一组程序,处理器用于执行存储器存储的程序,当程序被执行时,所述装置可以执行上述第五方面和第五方面的任一种可能的设计中所述的方法。In a possible design, the device includes a memory and a processor. The memory stores a set of programs. The processor is used to execute the programs stored in the memory. When the programs are executed, the device can execute the fifth aspect and the fifth aspect. Any of the possible designs described in the method.
在一个可能的设计中,该装置还包括收发器,用于该装置与其它功能之间进行通信。In a possible design, the device also includes a transceiver for communication between the device and other functions.
在一个可能的设计中,该装置为SCP。In one possible design, the device is an SCP.
第十一方面,提供一种代理订阅的授权装置,该装置具有实现上述第六方面和第六方面的任一种可能的设计中第三NF行为的功能。所述功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。所述硬件或软件包括一个或多个与上述功能相对应的模块。In an eleventh aspect, an authorization device for proxy subscription is provided, which has the function of realizing the third NF behavior in any possible design of the sixth aspect and the sixth aspect. The function can be realized by hardware, or by hardware executing corresponding software. The hardware or software includes one or more modules corresponding to the above-mentioned functions.
在一个可能的设计中,该装置可以是芯片或者集成电路。In one possible design, the device can be a chip or an integrated circuit.
在一个可能的设计中,该装置包括存储器和处理器,存储器存储有一组程序,处理器用于执行存储器存储的程序,当程序被执行时,所述装置可以执行上述第六方面和第六方面的任一种可能的设计中所述的方法。In a possible design, the device includes a memory and a processor. The memory stores a set of programs. The processor is used to execute the programs stored in the memory. When the programs are executed, the device can execute the sixth aspect and the sixth aspect. Any of the possible designs described in the method.
在一个可能的设计中,该装置还包括收发器,用于该装置与其它功能之间进行通信。In a possible design, the device also includes a transceiver for communication between the device and other functions.
在一个可能的设计中,该装置为NF。In one possible design, the device is NF.
第十一方面,提供一种芯片,该芯片与存储器相连或者该芯片包括存储器,用于读取并执行所述存储器中存储的软件程序,以实现如上述各方面和各方面的任一可能的设计中所述的方法。In an eleventh aspect, a chip is provided, the chip is connected to a memory or the chip includes a memory, and is used to read and execute a software program stored in the memory, so as to realize the above aspects and any possible The method described in the design.
第十二方面,提供一种计算机存储介质,存储有计算机程序,该计算机程序包括用于执行上述各方面和各方面的任一可能的设计中方法的指令。In a twelfth aspect, a computer storage medium is provided, and a computer program is stored. The computer program includes instructions for executing the foregoing aspects and any possible design method in each aspect.
第十三方面,提供了一种计算机程序产品,当计算机读取并执行所述计算机程序产品时,使得计算机执行上述各方面和各方面的任一可能的设计中所述的方法。In a thirteenth aspect, a computer program product is provided. When the computer reads and executes the computer program product, the computer executes the above aspects and the methods described in any possible design of the aspects.
附图说明Description of the drawings
图1a为本申请实施例中服务化架构系统示意图之一;Figure 1a is one of the schematic diagrams of the servicing architecture system in an embodiment of the application;
图1b为本申请实施例中服务化架构系统示意图之二;Figure 1b is the second schematic diagram of the service-oriented architecture system in the embodiment of the application;
图2为本申请实施例中代理订阅的授权方法之一流程示意图;Figure 2 is a schematic flow diagram of one of the authorization methods for proxy subscription in an embodiment of the application;
图3为本申请实施例中代理订阅的授权方法之二流程示意图;FIG. 3 is a schematic diagram of the second flow of the authorization method for proxy subscription in an embodiment of the application;
图4为本申请实施例中代理订阅的授权方法之三流程示意图;FIG. 4 is a schematic diagram of the third process of the authorization method for proxy subscription in an embodiment of the application;
图5为本申请实施例中代理订阅的授权方法之四流程示意图;Figure 5 is a schematic diagram of the fourth process of the proxy subscription authorization method in an embodiment of the application;
图6为本申请实施例中代理订阅的授权方法之五流程示意图;Fig. 6 is a schematic diagram of the fifth process of the authorization method for proxy subscription in an embodiment of the application;
图7为本申请实施例中代理订阅的授权方法之六流程示意图;7 is a schematic diagram of the sixth process of the authorization method for proxy subscription in an embodiment of the application;
图8为本申请实施例中代理订阅的授权装置结构示意图之一;FIG. 8 is one of the structural diagrams of the authorization device for proxy subscription in an embodiment of the application;
图9为本申请实施例中代理订阅的授权装置结构示意图之二;Figure 9 is the second structural diagram of the authorization device for proxy subscription in an embodiment of the application;
图10为本申请实施例中另一种订阅的授权方法的流程示意图;10 is a schematic flowchart of another subscription authorization method in an embodiment of the application;
图11为本申请实施例中另一种订阅的授权方法的流程示意图。Fig. 11 is a schematic flowchart of another subscription authorization method in an embodiment of the application.
具体实施方式Detailed ways
本申请实施例提供一种代理订阅的授权方法、装置及系统,用于实现代理订阅的安全性。其中,方法和装置是基于同一发明构思的,由于方法及装置解决问题的原理相似,因此装置与方法的实施可以相互参见,重复之处不再赘述。本申请实施例的描述中,“和/或”,描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况。字符“/”一般表示前后关联对象是一种“或”的关系。本申请中所涉及的至少一个是指一个或多个;多个,是指两个或两个以上。另外,需要理解的是,在本申请的描述中,“第一”、“第二”等词汇,仅用于区分描述的目的,而不能理解为指示或暗示相对重要性,也不能理解为指示或暗示顺序。The embodiments of the application provide a proxy subscription authorization method, device, and system, which are used to realize the security of proxy subscription. Among them, the method and the device are based on the same inventive concept. Since the principles of the method and the device to solve the problem are similar, the implementation of the device and the method can be referred to each other, and the repetition will not be repeated. In the description of the embodiments of the present application, "and/or" describes the association relationship of the associated objects, indicating that there can be three relationships, for example, A and/or B, which can mean: A alone exists, and both A and B exist at the same time. There are three cases of B. The character "/" generally indicates that the associated objects are in an "or" relationship. At least one involved in this application refers to one or more; multiple refers to two or more. In addition, it should be understood that in the description of this application, words such as “first” and “second” are only used for the purpose of distinguishing description, and cannot be understood as indicating or implying relative importance, nor can it be understood as indicating Or imply the order.
本申请实施例提供的通信方法可以应用于5G通信系统或未来的各种通信系统。The communication method provided in the embodiments of the present application can be applied to a 5G communication system or various future communication systems.
下面将结合附图,对本申请实施例进行详细描述。The embodiments of the present application will be described in detail below in conjunction with the accompanying drawings.
图1a示出了本申请实施例提供的代理订阅的授权方法适用的一种可能的服务化架构系统。如图1a所示,服务化架构系统100包括至少三个NF101。本申请以三个NF为例,可以记为NF_A、NF_B和NF_C。NF_A、NF_B和NF_C用标号101_a、101_b和101_c表示。可选的,服务化架构100还包括网络存储功能(network repository function,NRF)102。可选的,服务化架构100还包括服务通信代理(service communication proxy,SCP)103。Figure 1a shows a possible service-oriented architecture system to which the proxy subscription authorization method provided in an embodiment of the present application is applicable. As shown in FIG. 1a, the service-oriented architecture system 100 includes at least three NF101. This application takes three NFs as examples, which can be denoted as NF_A, NF_B and NF_C. NF_A, NF_B, and NF_C are denoted by reference numerals 101_a, 101_b, and 101_c. Optionally, the service-oriented architecture 100 further includes a network repository function (NRF) 102. Optionally, the service-oriented architecture 100 further includes a service communication proxy (SCP) 103.
其中:among them:
NF101是核心网内的网络功能,各个NF之间采用服务化接口通过服务调用的方式实现通信。NRF102,用于NF101的注册和发现,保存同一PLMN内各个NF的注册信息,作为授权服务器完成授权并生成令牌(token),以及校验token。NF101 is a network function in the core network, and each NF adopts a service-oriented interface to realize communication through service invocation. NRF102 is used for registration and discovery of NF101, saves the registration information of each NF in the same PLMN, acts as an authorization server to complete authorization and generate tokens, and verify tokens.
SCP103,用于NF之间通信的转发,实现负载均衡和NF选择,以及具有NF注册、发现和授权功能。SCP103 is used for forwarding communication between NFs, realizing load balancing and NF selection, as well as having NF registration, discovery and authorization functions.
本申请的NF可以是任意NF,例如,图1b示出了非漫游场景下基于服务化接口的通信系统的可能的架构。在图1b所示的系统架构中,NF_A可以是NEF,NF_B可以是AMF,NF_C可以是UDM。当然还可以是其它功能。另外,在图1b中,系统架构包括网络开放功能网元、策略控制功能网元、数据管理网元、应用功能网元、核心网接入和移动性管理功能网元、会话管理功能网元、终端设备、接入网设备、用户面功能网元UPF和数据网络。核心网接入和移动性管理功能网元与终端设备之间可以通过N1接口相连,核心网接入和移动性管理功能网元与接入网设备之间可以通过N2接口相连,接入网设备与用户面功能网元之间可以通过N3接口相连,会话管理功能网元与用户面功能网元之间可以通过N4接口相连,用户面功能网元与数据网络之间可以通过N6接口相连。接口名称只是一个示例说明。The NF in this application can be any NF. For example, FIG. 1b shows a possible architecture of a communication system based on a service-oriented interface in a non-roaming scenario. In the system architecture shown in Figure 1b, NF_A can be NEF, NF_B can be AMF, and NF_C can be UDM. Of course, it can also be other functions. In addition, in Figure 1b, the system architecture includes network open function network elements, policy control function network elements, data management network elements, application function network elements, core network access and mobility management function network elements, session management function network elements, Terminal equipment, access network equipment, user plane function network element UPF and data network. Core network access and mobility management function network elements and terminal equipment can be connected through N1 interface, core network access and mobility management function network elements and access network equipment can be connected through N2 interface, access network equipment It can be connected to the user plane function network element through the N3 interface, the session management function network element and the user plane function network element can be connected through the N4 interface, and the user plane function network element and the data network can be connected through the N6 interface. The interface name is just an example.
上述图1b中,数据网络,例如数据网络(data network,DN),可以是因特网(Internet)、 IP多媒体业务(IP Multi-media Service,IMS)网络、区域网络(即本地网络,例如移动边缘计算(mobile edge computing,MEC)网络)等。所述数据网络中包括应用服务器,所述应用服务器通过与所述终端设备进行数据传输,为所述终端设备提供业务服务。In Figure 1b above, the data network, such as a data network (DN), can be the Internet, an IP Multi-media Service (IMS) network, or a local network (ie, a local network, such as mobile edge computing). (mobile edge computing, MEC) network) and so on. The data network includes an application server, and the application server provides business services for the terminal device by performing data transmission with the terminal device.
核心网接入和移动性管理功能网元,可用于对所述终端设备的接入控制和移动性进行管理,在实际应用中,其包括了长期演进(long term evolution,LTE)中网络框架中移动管理实体(mobility management entity,MME)里的移动性管理功能,并加入了接入管理功能,具体可以负责所述终端设备的注册、移动性管理、跟踪区更新流程、可达性检测、会话管理功能网元的选择、移动状态转换管理等。例如,在5G中,所述核心网接入和移动性管理功能网元可以是AMF(access and mobility management function)网元。在未来通信,如6G中,所述核心网接入和移动性管理功能网元仍可以是AMF网元,或有其它的名称,本申请不做限定。当所述核心网接入和移动性管理功能网元是AMF网元时,所述AMF可以提供Namf服务。The core network access and mobility management function network element can be used to manage the access control and mobility of the terminal device. In practical applications, it includes the mobile network framework in the long term evolution (LTE). The mobility management function in the management entity (mobility management entity, MME), and the access management function is added, which can be specifically responsible for the registration of the terminal equipment, mobility management, tracking area update procedures, reachability detection, and session management Selection of functional network elements, mobile state transition management, etc. For example, in 5G, the core network access and mobility management function network element may be an AMF (access and mobility management function) network element. In future communications, such as 6G, the core network access and mobility management function network elements may still be AMF network elements or have other names, which are not limited by this application. When the core network access and mobility management function network element is an AMF network element, the AMF may provide Namf service.
会话管理功能网元,可用于负责所述终端设备的会话管理(包括会话的建立、修改和释放),用户面功能网元的选择和重选、所述终端设备的互联网协议(internet protocol,IP)地址分配、服务质量(quality of service,QoS)控制等。例如,在5G中,所述会话管理功能网元可以是SMF(session management function)网元,在未来通信,如6G中,所述会话管理功能网元仍可以是SMF网元,或有其它的名称,本申请不做限定。当会话管理功能网元时SMF网元时,所述SMF可以提供Nsmf服务。The session management function network element can be used to be responsible for the session management of the terminal device (including the establishment, modification and release of the session), the selection and reselection of the user plane function network element, and the Internet protocol (IP) of the terminal device. ) Address allocation, quality of service (QoS) control, etc. For example, in 5G, the session management function network element may be an SMF (session management function) network element. In future communications, such as 6G, the session management function network element may still be an SMF network element, or there may be other The name is not limited in this application. When the session management function network element is an SMF network element, the SMF can provide the Nsmf service.
策略控制功能网元,可用于负责策略控制决策、提供基于业务数据流和应用检测、门控、QoS和基于流的计费控制等功能等。例如,在5G中,所述策略控制功能网元可以是PCF(policy control function)网元,在未来通信,如6G中,所述策略控制功能网元仍可以是PCF网元,或有其它的名称,本申请不做限定。当所述策略控制功能网元是PCF网元,所述PCF网元可以提供Npcf服务。The policy control function network element can be used to be responsible for policy control decision-making, to provide functions such as service data flow and application detection, gating, QoS, and flow-based charging control. For example, in 5G, the policy control function network element may be a PCF (policy control function) network element. In future communications, such as 6G, the policy control function network element may still be a PCF network element, or there may be other The name is not limited in this application. When the policy control function network element is a PCF network element, the PCF network element may provide Npcf service.
应用功能网元,主要功能是与第三代合作伙伴计划(the 3rd generation partnership project,3GPP)核心网交互来提供服务,来影响业务流路由、接入网能力开放、策略控制等。例如,在5G中,所述应用功能网元可以是AF(application function)网元,在未来通信,如6G中,所述应用功能网元仍可以是AF网元,或有其它的名称,本申请不做限定。当所述应用功能网元是AF网元时,所述AF网元可以提供Naf服务。The main function of the application function network element is to interact with the 3rd generation partnership project (3GPP) core network to provide services to influence service flow routing, access network capability opening, policy control, etc. For example, in 5G, the application function network element may be an AF (application function) network element. In future communications, such as 6G, the application function network element may still be an AF network element or have other names. The application is not limited. When the application function network element is an AF network element, the AF network element may provide Naf services.
数据管理网元,可用于管理所述终端设备的签约数据、与所述终端设备相关的注册信息等。例如,在5G中,所述数据管理网元可以是统一数据管理网元(unified data management,UDM),在未来通信,如6G中,所述数据管理网元仍可以是UDM网元,或有其它的名称,本申请不做限定。当所述数据管理网元是UDM网元时,所述UDM网元可以提供Nudm服务。The data management network element can be used to manage the contract data of the terminal device, the registration information related to the terminal device, and the like. For example, in 5G, the data management network element may be a unified data management network element (unified data management, UDM). In future communications, such as 6G, the data management network element may still be a UDM network element, or Other names are not limited in this application. When the data management network element is a UDM network element, the UDM network element may provide Nudm services.
网络开放功能网元,可用于使3GPP能够安全地向第三方的AF(例如,业务能力服务器(Services Capability Server,SCS)、应用服务器(Application Server,AS)等)提供网络业务能力等。例如,在5G中,所述网络开放功能网元可以是NEF(network exposure function),在未来通信,如6G中,所述网络开放功能网元仍可以是NEF网元,或有其它的名称,本申请不做限定。当所述网络开放功能网元是NEF时,所述NEF可以向其他网络功能网元提供Nnef服务。Network open function network elements can be used to enable 3GPP to securely provide network service capabilities to third-party AFs (for example, Service Capability Server (SCS), Application Server (AS), etc.). For example, in 5G, the network opening function network element may be NEF (network exposure function). In future communications, such as 6G, the network opening function network element may still be a NEF network element or have other names. This application is not limited. When the network opening function network element is NEF, the NEF may provide Nnef services to other network function network elements.
Namf为AMF展现的基于服务的接口。Nsmf为SMF展现的基于服务的接口。Nnef 为NEF展现的基于服务的接口。Npcf为PCF展现的基于服务的接口。Nudm为UDM展现的基于服务的接口。Naf为AF展现的基于服务的接口。Nnrf为NRF展现的基于服务的接口。Nausf为AUSF展现的基于服务的接口。Namf is a service-based interface presented by AMF. Nsmf is a service-based interface presented by SMF. Nnef is a service-based interface presented by NEF. Npcf is a service-based interface presented by PCF. Nudm is a service-based interface presented by UDM. Naf is a service-based interface presented by AF. Nnrf is a service-based interface presented by NRF. Nausf is the service-based interface presented by AUSF.
系统架构还可以包括其他网元,如网络切片选择功能网元(network slice selection function,NSSF)、认证服务器功能网元(authentication server function,AUSF)等等,这里不再一一列举。The system architecture may also include other network elements, such as network slice selection function (NSSF), authentication server function (authentication server function, AUSF), etc., which are not listed here.
图1b中所述的各个网元也可以称为功能实体,或者称为功能。各个网元既可以是在专用硬件上实现的网络元件,也可以是在专用硬件上运行的软件实例,或者是在适当平台上虚拟化功能的实例。The network elements described in Figure 1b may also be called functional entities or functions. Each network element may be a network element implemented on dedicated hardware, or an instance of software running on dedicated hardware, or an instance of virtualized function on an appropriate platform.
基于图1a和图1b的服务化架构系统,下面详细介绍一下本申请实施例提供的代理订阅的授权方法。Based on the service-oriented architecture system of FIG. 1a and FIG. 1b, the following describes in detail the proxy subscription authorization method provided by the embodiment of the present application.
首先介绍一下代理订阅的概念。以NF_A、NF_B和NF_C为例,假设NF_B为服务提供方(service provider),NF_A和NF_C是服务的请求者(service consumer)。NF_A代理NF_C向NF_B订阅服务是指:NF_A向NF_B发送订阅请求,NF_B收到订阅请求后确定NF_A代理NF_C向NF_B订阅服务,则在满足条件时,NF_B直接向NF_C发送通知,该通知用于提供订阅的服务。这样便实现了NF_A代理NF_C向NF_B订阅服务。本申请中,代理订阅也可以通过请求-响应的方式来实现。例如,NF_A代理NF_C向NF_B订阅服务,也可以理解为,NF_A代理NF_C向NF_B请求服务。代理订阅的场景可以扩展为NF_A代理NF_C向NF_B请求使用网络功能服务。First introduce the concept of proxy subscription. Taking NF_A, NF_B, and NF_C as examples, suppose NF_B is a service provider, and NF_A and NF_C are service consumers. NF_A proxying NF_C to subscribe to NF_B means: NF_A sends a subscription request to NF_B, and NF_B determines that NF_A proxy NF_C subscribes to NF_B after receiving the subscription request. When the conditions are met, NF_B directly sends a notification to NF_C. The notification is used to provide Subscription service. In this way, NF_A proxy NF_C to subscribe service to NF_B. In this application, proxy subscription can also be implemented in a request-response manner. For example, NF_A proxying NF_C to subscribe to NF_B can also be understood as NF_A proxying NF_C to request service from NF_B. The proxy subscription scenario can be extended to NF_A proxy NF_C request to NF_B to use network function services.
本申请中涉及的NF的标识包括:NF的实例标识(instance ID),和/或NF的统一资源标识(Uniform Resource Identifier,URI),和/或NF的通知终结点(notification endpoint),和/或NF的通知目标地址(Notification Target Address),和/或通知相关标识(Notification Correlation ID),和/或通知统一资源定位器(Notification Uniform Resource Locator,Notification URL),和/或通知统一资源标识(Notification Uniform Resource Identifier,Notification URI),和/或回呼统一资源定位器(Callback Uniform Resource Locator,Callback URL),和/或回呼参考(Callback Reference),和/或其他形式的能够唯一标识NF的ID或地址信息。以下实施例以NF的标识为NF的instance ID和/或NF的URI为例,描述代理订阅的授权方法。The NF identifiers involved in this application include: the instance ID of the NF, and/or the Uniform Resource Identifier (URI) of the NF, and/or the notification endpoint of the NF, and/or Or NF's Notification Target Address, and/or Notification Correlation ID, and/or Notification Uniform Resource Locator (Notification URL), and/or Notification Uniform Resource ID ( Notification Uniform Resource Identifier, Notification URI), and/or Callback Uniform Resource Locator (Callback URL), and/or Callback Reference (Callback Reference), and/or other forms that can uniquely identify NF ID or address information. The following embodiments take the instance ID of the NF and/or the URI of the NF as an example to describe the authorization method of proxy subscription.
本申请中涉及到的令牌的概念。令牌用于指示网络功能服务的调用权限。令牌中可以包以下任意一项或多项信息:The token concept involved in this application. The token is used to indicate the calling authority of the network function service. Any one or more of the following information can be included in the token:
服务请求者NF的标识,服务提供者NF的标识,服务提供者NF的类型,服务提供者NF的服务类型,服务请求者NF的服务类型,服务名称(Service Name(s)),NRF的标识,公共陆地移动网络标识(Public Land Mobile Network ID,PLMN ID),有效时间(Expiration Time),单个网络分片选择辅助信息(single network slice selection assistance information,S-NSSAI),NF集合标识(NF set ID),服务实例集合标识(service instance set ID),服务区域标识(service zone ID),服务区(service area),数据网络名称(Data Network Name,DNN),跟踪区域标识(Tracking Area ID,TAI),公共陆地移动网络标识(Public Land Mobile Network ID,PLMN ID),目标网络功能或网络功能服务的位置信 息(location information of the target NF or NF service),事件标识(Event ID(s)),事件列表(Event List),订阅更改通知统一资源标识(Subscription Change Notification Uniform Resource Identifier),订阅更改通知相关统一资源标识(Subscription Change Notification Correlation ID),订阅永久标识(Subscription Permanent Identifier,SUPI),组标识(Group ID),通用公共订阅标识(Generic Public Subscription Identifier,GPSI),永久设备标识(Permanent Equipment Identifier,PEI)。不同令牌之间也可以通过令牌标识来区分。Service requester NF ID, service provider NF ID, service provider NF type, service provider NF service type, service requester NF service type, service name (Service Name(s)), NRF ID , Public Land Mobile Network ID (Public Land Mobile Network ID, PLMN ID), Expiration Time (Expiration Time), single network slice selection assistance information (S-NSSAI), NF set identification (NF set ID), service instance set ID, service zone ID, service area, data network name (Data Network Name, DNN), tracking area ID (Tracking Area ID, TAI) ), public land mobile network ID (Public Land Mobile Network ID, PLMN ID), location information of the target network function or network function service (location information of the target NF or NF service), event ID (Event ID(s)), Event List, Subscription Change Notification Uniform Resource Identifier, Subscription Change Notification Correlation ID, Subscription Permanent Identifier (SUPI), Group ID (Group ID), Generic Public Subscription Identifier (GPSI), Permanent Equipment Identifier (PEI). Different tokens can also be distinguished by token identification.
本申请实施例中,在代理订阅的过程中增加授权的流程,以保证代理订阅的安全性。In the embodiment of this application, an authorization process is added during the proxy subscription process to ensure the security of the proxy subscription.
以下描述的实施例中涉及多个NF之间的交互,多个NF包括第一NF、第二NF、第三NF、NRF和SCP。其中,第一NF对应上述NF_A,第二NF对应上述NF_C,第三NF对应上述NF_B。第一NF代理第二NF向第三NF订阅服务。本申请中服务提供者或者服务提供方(service producer)提供的网络功能服务也可以简称为服务。The embodiments described below involve interactions between multiple NFs. The multiple NFs include a first NF, a second NF, a third NF, NRF, and SCP. Among them, the first NF corresponds to the aforementioned NF_A, the second NF corresponds to the aforementioned NF_C, and the third NF corresponds to the aforementioned NF_B. The first NF acts for the second NF to subscribe services to the third NF. The network function service provided by the service provider or service producer in this application may also be referred to as service for short.
下述代理订阅的授权方法之一和代理订阅的授权方法之二是基于四个网络功能之间的交互,包括第一NF、NRF、第二NF和第三NF。One of the following authorization methods for proxy subscription and the second method for proxy subscription is based on the interaction between four network functions, including the first NF, NRF, second NF, and third NF.
如图2所示,本申请实施例提供的代理订阅的授权方法之一的流程如下所述。As shown in Figure 2, the process of one of the proxy subscription authorization methods provided by the embodiment of the present application is as follows.
S201、第一NF向NRF发送令牌请求,NRF从第一NF接收该令牌请求。S201. The first NF sends a token request to the NRF, and the NRF receives the token request from the first NF.
该令牌请求(token request)用于请求执行授权。执行授权的过程包括:判断第一NF是否具有向第三NF发送订阅请求的权限,例如第一NF是否具有代理第二NF向第三NF订阅网络功能服务的权限。授权的过程还包括:判断第二NF是否具有接收第三NF提供的网络功能服务的权限。This token request is used to request execution authorization. The process of performing authorization includes: determining whether the first NF has the authority to send a subscription request to the third NF, for example, whether the first NF has the authority to subscribe to the third NF for network function services on behalf of the second NF. The authorization process also includes: determining whether the second NF has the authority to receive the network function service provided by the third NF.
该令牌请求中携带服务请求者(service consumerer)的标识,即第一NF的标识和第二NF的标识。例如携带第一NF的实例标识(instance ID)和/或统一资源标识(URI),以及第二NF的实例标识(instance ID)和/或统一资源标识(URI)。该令牌请求中还可以携带请求订阅的网络功能服务,服务提供者(service producer)的类型和/或服务提供者(service producer)的标识,本实施例中服务提供者为第三NF。例如携带第三NF的实例标识(instance ID)和/或统一资源标识(URI),和/或第三NF的类型(NF type)。该令牌请求中还可以携带事件标识(Event ID(s)),和/或事件列表(Event List),和/或订阅更改通知统一资源标识(Subscription Change Notification Uniform Resource Identifier),和/或订阅更改通知相关统一资源标识(Subscription Change Notification Correlation ID),和/或订阅永久标识(Subscription Permanent Identifier,SUPI),和/或组标识(Group ID),和/或通用公共订阅标识(Generic Public Subscription Identifier,GPSI),和/或永久设备标识(Permanent Equipment Identifier,PEI)。该令牌请求中还可以携带其他授权和令牌生成所需的参数。The token request carries the identity of the service consumer (service consumer), that is, the identity of the first NF and the identity of the second NF. For example, it carries the instance ID and/or uniform resource identifier (URI) of the first NF, and the instance ID and/or uniform resource identifier (URI) of the second NF. The token request may also carry the network function service for which the subscription is requested, the type of service producer and/or the service producer's identifier. In this embodiment, the service provider is the third NF. For example, the instance ID and/or uniform resource identifier (URI) of the third NF are carried, and/or the type of the third NF (NF type). The token request can also carry an event ID (Event ID(s)), and/or an event list (Event List), and/or a subscription change notification uniform resource identifier (Subscription Change Notification Uniform Resource Identifier), and/or subscription Change Notification Correlation ID (Subscription Change Notification Correlation ID), and/or Subscription Permanent Identifier (SUPI), and/or Group ID (Group ID), and/or General Public Subscription Identifier (Generic Public Subscription Identifier) , GPSI), and/or Permanent Equipment Identifier (PEI). The token request may also carry other parameters required for authorization and token generation.
可选的,该令牌请求中还可以携带一个指示信息,该指示信息用于指示第一NF请求的是代理订阅场景下的令牌,即指示NRF需要判断第二NF是否具有接收第三NF提供的网络功能服务的权限,并指示NRF需要判断第一NF是否具有向第三NF发送订阅请求的权限,具体为第一NF是否具有代理第二NF向第三NF订阅网络功能服务的权限。Optionally, the token request may also carry an indication information, which is used to indicate that the first NF is requesting a token in the proxy subscription scenario, that is, indicating that the NRF needs to determine whether the second NF has the ability to receive the third NF. Provides the authority of the network function service, and instructs the NRF to determine whether the first NF has the authority to send a subscription request to the third NF, specifically whether the first NF has the authority to subscribe to the third NF for the network function service on behalf of the second NF.
可选的,在S201之前还包括S200。Optionally, S200 is further included before S201.
S200、第二NF向第一NF发送NF信息,第一NF从第二NF接收NF信息。S200. The second NF sends NF information to the first NF, and the first NF receives the NF information from the second NF.
该NF信息包括第二NF的标识,例如第二NF的实例标识(instance ID)和/或统一资源标识(URI)。可选的,所述NF信息还包括事件标识(Event ID(s)),和/或事件列 表(Event List),和/或订阅更改通知统一资源标识(Subscription Change Notification Uniform Resource Identifier),和/或订阅更改通知相关统一资源标识(Subscription Change Notification Correlation ID),和/或订阅永久标识(Subscription Permanent Identifier,SUPI),和/或组标识(Group ID),和/或通用公共订阅标识(Generic Public Subscription Identifier,GPSI),和/或永久设备标识(Permanent Equipment Identifier,PEI)。另外,需要指出的是,若第一NF已经配置或存储了第二NF的信息,则不需要执行S200。The NF information includes the identifier of the second NF, such as the instance ID and/or the uniform resource identifier (URI) of the second NF. Optionally, the NF information further includes an event identifier (Event ID(s)), and/or an event list (Event List), and/or a subscription change notification uniform resource identifier (Subscription Change Notification Uniform Resource Identifier), and/ Or subscription change notification related uniform resource identifier (Subscription Change Notification Correlation ID), and/or subscription permanent identifier (Subscription Permanent Identifier, SUPI), and/or group identifier (Group ID), and/or general public subscription identifier (Generic Public Subscription Identifier, GPSI), and/or Permanent Equipment Identifier (PEI). In addition, it should be pointed out that if the first NF has been configured or stored in the second NF, there is no need to perform S200.
通过S200,第一NF能够获取第二NF的信息,S201中令牌请求中携带的第二NF的标识可以来源于S200,也可以是第一NF预先配置或存储的。Through S200, the first NF can obtain the information of the second NF. The identification of the second NF carried in the token request in S201 may be derived from S200, or may be pre-configured or stored by the first NF.
S202、NRF基于接收到的令牌请求,生成令牌。S202. The NRF generates a token based on the received token request.
NRF首先根据该令牌请求确定第一NF请求的是代理订阅场景下的令牌。具体的,NRF可以根据令牌请求的服务调用名称来进行确定,本申请中该令牌请求的服务调用名称区别于现有技术里的令牌请求的服务调用名称;或者,NRF根据该令牌请求中携带的指示信息来进行确定;或者,NRF根据令牌请求中携带两个服务请求者的标识(instance ID和/或URI)来进行确定;或者NRF根据其他方式确定当前第一NF请求的是代理订阅场景下的令牌。The NRF first determines according to the token request that what the first NF requests is a token in the proxy subscription scenario. Specifically, the NRF can be determined according to the service invocation name of the token request. The service invocation name of the token request in this application is different from the service invocation name of the token request in the prior art; or, the NRF is based on the token The indication information carried in the request is determined; or NRF is determined according to the identifiers (instance ID and/or URI) of the two service requesters carried in the token request; or NRF determines the current first NF request according to other methods It is the token in the proxy subscription scenario.
在执行授权时,NRF可以判断第一NF是否具有代理第二NF向第三NF订阅网络功能服务的权限,并判断第二NF是否具有接收第三NF提供的网络功能服务的权限。判断权限的方法例如可以是,NRF可以根据令牌请求中携带的第一NF的标识、第二NF的标识、服务提供者(即第三NF)的标识和/或类型,和/或令牌请求中的其他信息,结合本地配置的策略或者授权信息来判断权限。When performing authorization, the NRF can determine whether the first NF has the authority to subscribe to the third NF for network function services on behalf of the second NF, and determine whether the second NF has the authority to receive network function services provided by the third NF. The method for judging authority can be, for example, the NRF can be based on the identity of the first NF, the identity of the second NF, the identity and/or type of the service provider (that is, the third NF), and/or the token carried in the token request. Other information in the request is combined with locally configured policies or authorization information to determine permissions.
NRF若在判定第二NF具有接收第三NF提供的网络功能服务的权限、且判定第一NF具有代理第二NF向第三NF订阅网络功能服务的权限时,生成令牌(token)。If the NRF determines that the second NF has the right to receive the network function service provided by the third NF, and the first NF has the right to subscribe to the third NF for the network function service on behalf of the second NF, it generates a token.
生成的令牌中包含第一NF和第二NF的标识,具体的NF标识可以是NF Instance ID,和/或NF的URI,和/或其他形式的能够唯一标识NF的ID或地址信息。所述令牌中还可以包含事件标识(Event ID(s)),和/或事件列表(Event List),和/或订阅更改通知统一资源标识(Subscription Change Notification Uniform Resource Identifier),和/或订阅更改通知相关统一资源标识(Subscription Change Notification Correlation ID),和/或订阅永久标识(Subscription Permanent Identifier,SUPI),和/或组标识(Group ID),和/或通用公共订阅标识(Generic Public Subscription Identifier,GPSI),和/或永久设备标识(Permanent Equipment Identifier,PEI),和/或其他授权和令牌生成所需的参数。The generated token contains the identifications of the first NF and the second NF. The specific NF identification may be the NF Instance ID, and/or the URI of the NF, and/or other forms of ID or address information that can uniquely identify the NF. The token may also include an event ID (Event ID(s)), and/or an event list (Event List), and/or a subscription change notification uniform resource identifier (Subscription Change Notification Uniform Resource Identifier), and/or subscription Change Notification Correlation ID (Subscription Change Notification Correlation ID), and/or Subscription Permanent Identifier (SUPI), and/or Group ID (Group ID), and/or General Public Subscription Identifier (Generic Public Subscription Identifier) , GPSI), and/or Permanent Equipment Identifier (PEI), and/or other parameters required for authorization and token generation.
所述令牌中第一NF和第二NF的标识包含在subject claim中,具体的,可以是subject claim扩展长度,subject claim前半部分填写第一NF的标识,subject claim后半部分填写第二NF的标识;或者subject claim前半部分填写第二NF的标识,subject claim后半部分填写第一NF的标识。也可以是新定义一个subject claim,例如为subject claim-new,subject claim中填写第一NF的标识,subject claim-new中填写第二NF的标识;或者subject claim中填写第二NF的标识,subject claim-new中填写第一NF的标识。本申请对令牌如何携带第一NF的标识和第二NF的标识不做限制。The identifiers of the first NF and the second NF in the token are included in the subject claim, specifically, it can be subject claim the extended length, the first half of the subject claim fills in the identity of the first NF, and the second half of the subject claim fills in the second NF. Or the first half of the subject claim is to fill in the identification of the second NF, and the second half of the subject claim is to fill in the identification of the first NF. It can also be a newly defined subject claim, for example, subject claim-new, where subject claim fills in the identification of the first NF, and subject claim-new fills in the identification of the second NF; or the subject claim fills in the identification of the second NF, subject Fill in the identification of the first NF in claim-new. This application does not restrict how the token carries the identity of the first NF and the identity of the second NF.
所述令牌中的其他信息可以包含在Token Claim中,本申请对令牌如何携带所述令牌中的其他信息不做限制。The other information in the token may be included in the Token Claim, and this application does not restrict how the token carries other information in the token.
可选的,该令牌中还可以携带一个指示信息,该指示信息用于指示该令牌是代理订阅 场景下的令牌,例如,该指示信息用于指示第一NF代理所述第二NF向所述第三NF订阅网络功能服务。Optionally, the token may also carry an indication information, the indication information is used to indicate that the token is a token in a proxy subscription scenario, for example, the indication information is used to instruct the first NF to proxy the second NF Subscribe to the third NF for network function services.
在生成令牌后,执行S203。After the token is generated, S203 is executed.
若判定第二NF不具有接收第三NF提供的网络功能服务的权限,或者判定第一NF不具有代理第二NF向第三NF订阅网络功能服务的权限,或者判定第二NF不具有接收第三NF提供的网络功能服务的权限、且判定第一NF不具有代理第二NF向第三NF订阅网络功能服务的权限时,则结束流程,也可以向第一NF发送消息来指示判定结果。If it is determined that the second NF does not have the authority to receive network function services provided by the third NF, or it is determined that the first NF does not have the authority to subscribe network function services to the third NF on behalf of the second NF, or it is determined that the second NF does not have the authority to receive network function services from the third NF. When the third NF has the authority of the network function service and it is determined that the first NF does not have the authority to subscribe to the third NF for the network function service on behalf of the second NF, the process ends, and a message may also be sent to the first NF to indicate the determination result.
S203、NRF向第一NF发送令牌响应,第一NF从NRF接收令牌响应。S203. The NRF sends a token response to the first NF, and the first NF receives the token response from the NRF.
该令牌响应是用于响应S201中令牌请求的。该令牌响应中携带NRF生成的令牌。该令牌用于指示第一NF具有代理第二NF向第三NF订阅网络功能服务的权限以及指示第二NF具有接收第三NF提供的网络功能服务的权限。The token response is used to respond to the token request in S201. The token response carries the token generated by NRF. The token is used to indicate that the first NF has the authority to subscribe to the third NF for network function services on behalf of the second NF and indicates that the second NF has the authority to receive network function services provided by the third NF.
通过S201~S203,NRF可以判断代理订阅的权限,提高代理订阅的安全性。Through S201~S203, NRF can determine the authority of agent subscription and improve the security of agent subscription.
在S203之后,还可以包括以下步骤。After S203, the following steps may also be included.
S204、第一NF向第三NF发送订阅请求(subscribe request),第三NF从第一NF接收订阅请求。S204: The first NF sends a subscription request (subscribe request) to the third NF, and the third NF receives the subscription request from the first NF.
该订阅请求用于第一NF请求代理第二NF向第三NF订阅网络功能服务。该订阅请求中包括上述令牌,第一NF的实例标识(instance ID)和/或统一资源标识(URI),以及第二NF的实例标识(instance ID)和/或统一资源标识(URI)。所述订阅请求中还可以携带请求订阅的网络功能服务,服务提供者(service producer)的类型和/或服务提供者(service producer)的标识,本实施例中服务提供者为第三NF。例如携带第三NF的实例标识(instance ID)和/或统一资源标识(URI),和/或第三NF的类型(NF type)。所述订阅请求中还可以携带事件标识(Event ID(s)),和/或事件列表(Event List),和/或订阅更改通知统一资源标识(Subscription Change Notification Uniform Resource Identifier),和/或订阅更改通知相关统一资源标识(Subscription Change Notification Correlation ID),和/或订阅永久标识(Subscription Permanent Identifier,SUPI),和/或组标识(Group ID),和/或通用公共订阅标识(Generic Public Subscription Identifier,GPSI),和/或永久设备标识(Permanent Equipment Identifier,PEI)。The subscription request is used by the first NF to request the proxy of the second NF to subscribe to the network function service from the third NF. The subscription request includes the above token, the instance ID and/or uniform resource identifier (URI) of the first NF, and the instance ID and/or uniform resource identifier (URI) of the second NF. The subscription request may also carry the network function service for which the subscription is requested, the type of service producer, and/or the identifier of the service producer. In this embodiment, the service provider is the third NF. For example, the instance ID and/or uniform resource identifier (URI) of the third NF are carried, and/or the type of the third NF (NF type). The subscription request may also carry an event ID (Event ID(s)), and/or an event list (Event List), and/or a subscription change notification uniform resource identifier (Subscription Change Notification Uniform Resource Identifier), and/or subscription Change Notification Correlation ID (Subscription Change Notification Correlation ID), and/or Subscription Permanent Identifier (SUPI), and/or Group ID (Group ID), and/or General Public Subscription Identifier (Generic Public Subscription Identifier) , GPSI), and/or Permanent Equipment Identifier (PEI).
具体的,第一NF根据NRF发送的令牌响应确定该第一NF具有代理第二NF向第三NF订阅网络功能服务的权限,则向第三NF发送订阅请求。Specifically, according to the token response sent by the NRF, the first NF determines that the first NF has the authority to subscribe the network function service to the third NF on behalf of the second NF, and then sends a subscription request to the third NF.
S205、第三NF对订阅请求中包含的令牌进行校验,若校验成功,则执行S206;否则,若令牌校验失败,则第三NF结束流程,或者向第一NF回复订阅响应,订阅响应中包含订阅失败,或者令牌校验失败信息,或者其他表示流程失败的信息。S205. The third NF verifies the token included in the subscription request, and if the verification succeeds, then executes S206; otherwise, if the token verification fails, the third NF ends the process, or sends a subscription response to the first NF , The subscription response contains subscription failure, or token verification failure information, or other information indicating that the process failed.
具体地,若令牌校验成功,则第三NF确定第二NF具有接收第三NF提供的网络功能服务的权限、且确定第一NF具有代理第二NF向第三NF订阅网络功能服务的权限。Specifically, if the token verification is successful, the third NF determines that the second NF has the authority to receive network function services provided by the third NF, and determines that the first NF has the authority to subscribe to the third NF for network function services on behalf of the second NF. Permissions.
其中,令牌校验包括以下一项或多项:对令牌进行完整性校验、校验令牌是否用于指示第二NF具有接收第三NF提供的网络功能服务的权限、校验令牌的有效性。当任意一项校验不成功时校验失败,当所有校验成功时校验成功。具体的,需要校验订阅请求中是否包含第三NF的标识。还需要校验令牌中Audience Claim中包含的服务提供者(service producer)的标识和/或类型是否与第三NF的标识和/或类型相同。还可以校验第三NF是否能够提供订阅请求中的网络功能服务。例如,第三NF能够提供的网络功能服务包括服 务1、服务2和服务3,但是令牌指示授权的服务为服务4,则校验失败。令牌具有有效期,当令牌在有效期内时,才具有有效性,超过有效期,则令牌失效。只有令牌在有效期内时校验才成功。还可以校验令牌中包含的信息与订阅请求中相应的信息是否一致。Wherein, token verification includes one or more of the following: integrity verification of the token, verification of whether the token is used to indicate that the second NF has the authority to receive network function services provided by the third NF, and verification order The validity of the card. The verification fails when any one of the verifications is unsuccessful, and the verification succeeds when all verifications are successful. Specifically, it is necessary to check whether the subscription request contains the identity of the third NF. It is also necessary to verify whether the identifier and/or type of the service producer (service producer) included in the Audience Claim in the token is the same as the identifier and/or type of the third NF. It can also verify whether the third NF can provide the network function service in the subscription request. For example, the network function services that the third NF can provide include service 1, service 2, and service 3. However, if the token indicates that the authorized service is service 4, the verification fails. The token has a validity period. When the token is within the validity period, it is valid. After the validity period, the token becomes invalid. The verification succeeds only when the token is within the validity period. It can also verify whether the information contained in the token is consistent with the corresponding information in the subscription request.
上述对校验令牌的描述适用于全文中对令牌进行校验的过程。The above description of the verification token is applicable to the process of verifying the token in the full text.
可选的,第三NF可以通过NRF对令牌进行校验。具体的,第三NF在收到订阅请求后,向NRF发送校验请求。NRF从第三NF接收校验请求,对校验请求中包含的令牌进行校验。NRF向第三NF回复校验结果。若校验成功,则第三NF执行S206和S207。否则第三NF流程结束,或者向第一NF回复订阅响应,订阅响应中包含订阅失败,或者令牌校验失败信息,或者其他表示流程失败的信息。其中,NRF在校验令牌时,除了包括上述令牌校验的事项之外,还可以校验该令牌是否与存储的令牌一致,或者说校验该令牌是否与向第一NF发送的令牌响应中包含的令牌一致。若一致则校验成功,否则校验失败。一致的意思是指令牌指示的信息是相同的。Optionally, the third NF may verify the token through NRF. Specifically, after receiving the subscription request, the third NF sends a verification request to the NRF. The NRF receives the verification request from the third NF, and verifies the token contained in the verification request. The NRF replies the verification result to the third NF. If the verification is successful, the third NF executes S206 and S207. Otherwise, the third NF process ends, or a subscription response is replies to the first NF, and the subscription response includes subscription failure or token verification failure information, or other information indicating that the process fails. Among them, when NRF verifies the token, in addition to the above-mentioned token verification, it can also verify whether the token is consistent with the stored token, or whether the token is consistent with the first NF The token contained in the sent token response is consistent. If they are consistent, the verification is successful, otherwise the verification fails. Consistency means that the information indicated by the instruction board is the same.
通过NRF对令牌进行校的过程可以代替S205。The process of calibrating the token through NRF can replace S205.
S206、第三NF向第二NF发送授权通知,第二NF从第三NF接收授权通知。S206. The third NF sends an authorization notification to the second NF, and the second NF receives the authorization notification from the third NF.
该授权通知中携带授权结果,该授权通知用于指示第二NF是否具有接收第三NF提供的网络功能服务的权限。第二NF可以保存该授权通知中的授权结果。The authorization notification carries the authorization result, and the authorization notification is used to indicate whether the second NF has the authority to receive the network function service provided by the third NF. The second NF can save the authorization result in the authorization notification.
或者,该授权通知中也可以包含令牌。第二NF通过该令牌得知授权结果。即第二NF根据令牌得知第二NF是否具有接收第三NF提供的网络功能服务的权限,还可以得知第一NF具有代理第二NF向第三NF订阅网络功能服务的权限。Alternatively, the authorization notification may also include a token. The second NF learns the authorization result through the token. That is, the second NF learns from the token whether the second NF has the right to receive the network function service provided by the third NF, and it can also be known that the first NF has the right to subscribe to the third NF for the network function service on behalf of the second NF.
S207、第三NF向第一NF发送订阅响应(subscribe response),第一NF从第三NF接收该订阅响应。S207. The third NF sends a subscription response (subscribe response) to the first NF, and the first NF receives the subscription response from the third NF.
该订阅响应可以携带授权结果,用于指示第一NF具有代理第二NF向第三NF订阅网络功能服务的权限。The subscription response may carry the authorization result, which is used to indicate that the first NF has the authority to subscribe to the third NF for the network function service from the second NF.
可选的,若不执行S206,则还可以通过以下操作代替:第三NF还可以在该订阅响应中携带授权结果,授权结果中包括:第一NF具有代理第二NF向第三NF订阅网络功能服务的权限,以及第二NF是否具有接收第三NF提供的网络功能服务的权限;或者,第三NF在该订阅响应中携带校验成功的令牌。第一NF根据订阅响应中携带的令牌或者授权结果,确定授权成功。进一步的,第一NF还可以将该令牌或授权结果通知给第二NF。当然,在执行S206的情况下,也可以包括这些操作。Optionally, if S206 is not performed, the following operations may be used instead: the third NF may also carry the authorization result in the subscription response, and the authorization result includes: the first NF has a proxy, the second NF subscribes to the network from the third NF The authority of the functional service, and whether the second NF has the authority to receive the network function service provided by the third NF; or, the third NF carries a token that is successfully verified in the subscription response. The first NF determines that the authorization is successful according to the token carried in the subscription response or the authorization result. Further, the first NF may also notify the second NF of the token or authorization result. Of course, these operations may also be included in the case of performing S206.
若是第三NF检验令牌未成功,则第三NF也可以向第一NF发送授权不成功的授权结果,即指示第一NF不具有代理第二NF向第三NF订阅网络功能服务的权限,或者指示第二NF不具有接收第三NF提供的网络功能服务的权限。这种情况下省略S206。If the third NF fails to verify the token, the third NF may also send the authorization result that the authorization is unsuccessful to the first NF, that is, indicate that the first NF does not have the authority to subscribe to the third NF for network function services on behalf of the second NF, Or indicate that the second NF does not have the right to receive the network function service provided by the third NF. In this case, S206 is omitted.
S206和S207没有严格的执行顺序,可以交换顺序来执行。S206 and S207 do not have a strict execution order and can be executed in an exchange order.
S208、第三NF根据订阅的网络功能服务,向第二NF提供网络功能服务。S208. The third NF provides network function services to the second NF according to the subscribed network function services.
具体的,在满足订阅条件时,第三NF向第二NF发送通知(notify),该通知中包括第三NF提供的网络功能服务。Specifically, when the subscription condition is met, the third NF sends a notification (notify) to the second NF, and the notification includes the network function service provided by the third NF.
可选的,由于第一NF代理第二NF向第三NF进行服务订阅的,因此第三NF还可以向第一NF发送通知,在通知中携带服务的修改或取消订阅等信息。Optionally, since the first NF performs service subscription to the third NF on behalf of the second NF, the third NF may also send a notification to the first NF, and the notification carries information such as service modification or unsubscription.
代理订阅的授权方法之一还可以适用于漫游场景。在漫游场景下,各NF位于两个不同的公共陆地移动网(public land mobile network,PLMN)。NF之间的交互通过为其服 务的SCP转发。第一NF发送的令牌请求由第一NF所在PLMN内的NRF转发给第三NF所在PLMN内的NRF。第三NF所在PLMN内的NRF发送的令牌响应由第一NF所在PLMN内的NRF转发给第一NF。令牌的产生和授权由第三NF所在PLMN内的NRF完成。在第三NF可以通过NRF对令牌进行校验的方式下,令牌校验也是由第三NF所在PLMN内的NRF完成。其它处理过程与代理订阅的授权方法之一中描述相同。One of the authorization methods for proxy subscription can also be applied to roaming scenarios. In the roaming scenario, each NF is located in two different public land mobile networks (PLMN). The interaction between NFs is forwarded through the SCP serving it. The token request sent by the first NF is forwarded by the NRF in the PLMN where the first NF is located to the NRF in the PLMN where the third NF is located. The token response sent by the NRF in the PLMN where the third NF is located is forwarded to the first NF by the NRF in the PLMN where the first NF is located. The generation and authorization of the token is completed by the NRF in the PLMN where the third NF is located. In the manner in which the third NF can verify the token through the NRF, the token verification is also completed by the NRF in the PLMN where the third NF is located. Other processing procedures are the same as those described in one of the authorization methods for proxy subscription.
基于同一发明构思,本申请实施例提供了代理订阅的授权方法之二。主要内容包括:由第一NF和第二NF分别向NRF发送令牌请求,NRF针对第一NF和第二NF分别发送的令牌请求,生成两个令牌。例如用第一令牌和第二令牌表示这两个令牌。第一令牌是第一NF请求并由NRF向第一NF发送的。第二令牌是第二NF请求并由NRF向第二NF发送的。第一令牌用于指示第一NF具有代理第二NF向第三NF订阅网络功能服务的权限;第二令牌用于指示第二NF具有接收第三NF提供的网络功能服务的权限。Based on the same inventive concept, the embodiment of this application provides the second method for authorization of proxy subscription. The main content includes: the first NF and the second NF respectively send a token request to the NRF, and the NRF generates two tokens for the token request respectively sent by the first NF and the second NF. For example, the first token and the second token are used to represent these two tokens. The first token is requested by the first NF and sent to the first NF by the NRF. The second token is requested by the second NF and sent by the NRF to the second NF. The first token is used to indicate that the first NF has the authority to subscribe to the third NF for network function services on behalf of the second NF; the second token is used to indicate that the second NF has the authority to receive network function services provided by the third NF.
如图3所示,代理订阅的授权方法之二的一种可能的流程如下所述。As shown in Figure 3, a possible process of the second authorization method for proxy subscription is as follows.
S301、第一NF向第二NF发送通知消息,第二NF从第一NF接收该通知消息。S301. The first NF sends a notification message to the second NF, and the second NF receives the notification message from the first NF.
该通知消息用于指示第二NF请求令牌。例如,指示第二NF向NRF发送令牌请求,以获取令牌。The notification message is used to instruct the second NF to request a token. For example, instruct the second NF to send a token request to the NRF to obtain the token.
该通知消息中可以携带以下信息:The notification message can carry the following information:
第一NF的标识,例如第一NF的instance ID和/或URI。该通知中还携带服务提供者(service producer)的类型和/或服务提供者(service producer)的标识,本实施例中服务提供者为第三NF。该通知中还携带其他授权和令牌生成所需的参数。The identity of the first NF, such as the instance ID and/or URI of the first NF. The notification also carries the type of service producer (service producer) and/or the identifier of the service producer (service producer). In this embodiment, the service provider is the third NF. The notification also carries other parameters required for authorization and token generation.
可选的,所述通知消息还包括事件标识(Event ID(s)),和/或事件列表(Event List),和/或订阅更改通知统一资源标识(Subscription Change Notification Uniform Resource Identifier),和/或订阅更改通知相关统一资源标识(Subscription Change Notification Correlation ID),和/或订阅永久标识(Subscription Permanent Identifier,SUPI),和/或组标识(Group ID),和/或通用公共订阅标识(Generic Public Subscription Identifier,GPSI),和/或永久设备标识(Permanent Equipment Identifier,PEI)。Optionally, the notification message further includes an event ID (Event ID(s)), and/or an event list (Event List), and/or a subscription change notification uniform resource identifier (Subscription Change Notification Uniform Resource Identifier), and/ Or subscription change notification related uniform resource identifier (Subscription Change Notification Correlation ID), and/or subscription permanent identifier (Subscription Permanent Identifier, SUPI), and/or group identifier (Group ID), and/or general public subscription identifier (Generic Public Subscription Identifier, GPSI), and/or Permanent Equipment Identifier (PEI).
S302、第二NF向NRF发送令牌请求,NRF从第二NF接收令牌请求。S302. The second NF sends a token request to the NRF, and the NRF receives the token request from the second NF.
该令牌请求中用于请求执行授权,该执行授权的过程包括:判断第二NF是否具有接收第三NF提供的网络功能服务的权限。该令牌请求中携带服务请求者(service consumerer)的标识,即第二NF的标识。例如携带第二NF的实例标识(instance ID)和/或统一资源标识(URI)。该令牌请求中还携带请求订阅的网络功能服务,服务提供者(service producer)的类型和/或服务提供者(service producer)的标识和/或类型,本实施例中服务提供者为第三NF。该令牌请求中还携带其他授权和令牌生成所需的参数,请参看S201中对令牌请求中包含参数的相关描述,此处不再赘述。The token request is used to request execution authorization, and the execution authorization process includes: judging whether the second NF has the authority to receive the network function service provided by the third NF. The token request carries the identifier of the service consumer (service consumer), that is, the identifier of the second NF. For example, the instance ID and/or the uniform resource identifier (URI) of the second NF are carried. The token request also carries the network function service for which subscription is requested, the type of service producer and/or the identifier and/or type of service producer. In this embodiment, the service provider is the third party. NF. The token request also carries other parameters required for authorization and token generation. Please refer to the relevant description of the parameters included in the token request in S201, which will not be repeated here.
S303、第一NF向NRF发送令牌请求,NRF从第一NF接收该令牌请求。S303. The first NF sends a token request to the NRF, and the NRF receives the token request from the first NF.
该令牌请求用于请求执行授权。执行授权的过程包括:判断第一NF是否具有向第三NF发送订阅请求的权限,例如第一NF是否具有代理第二NF向第三NF订阅网络功能服务的权限。该令牌请求中携带服务请求者(service consumerer)的标识,即第一NF的标识,还携带第二NF的标识,表征是代理订阅场景。例如携带第一NF的实例标识(instance ID)和/或统一资源标识(URI),以及第二NF的实例标识(instance ID)和/或统一资源标识(URI)。该令牌请求中还携带请求订阅的网络功能服务,服务提供者(service producer) 的类型和/或服务提供者(service producer)的标识,本实施例中服务提供者为第三NF。该通知中还携带其他授权和令牌生成所需的参数,请参看S201中对令牌请求中包含参数的相关描述,此处不再赘述。The token request is used to request execution authorization. The process of performing authorization includes: determining whether the first NF has the authority to send a subscription request to the third NF, for example, whether the first NF has the authority to subscribe to the third NF for network function services on behalf of the second NF. The token request carries the identity of the service consumer (service consumer), that is, the identity of the first NF, and also carries the identity of the second NF, which represents a proxy subscription scenario. For example, it carries the instance ID and/or uniform resource identifier (URI) of the first NF, and the instance ID and/or uniform resource identifier (URI) of the second NF. The token request also carries the network function service for which the subscription is requested, the type of service producer and/or the identifier of the service producer. In this embodiment, the service provider is the third NF. The notification also carries other parameters required for authorization and token generation. Please refer to the relevant description of the parameters included in the token request in S201, which will not be repeated here.
为方便区分,第一NF向NRF发送的令牌请求记为第一令牌请求,第二NF向NRF发送的令牌请求记为第二令牌请求。To facilitate the distinction, the token request sent by the first NF to the NRF is recorded as the first token request, and the token request sent by the second NF to the NRF is recorded as the second token request.
可选的,该第一令牌请求和第二令牌请求中均还可以携带一个指示信息,该指示信息用于指示请求代理订阅场景下的令牌。Optionally, both the first token request and the second token request may also carry an indication information, and the indication information is used to indicate the token in the scenario of requesting proxy subscription.
S302和S303之间没有严格的执行顺序,可以交换。There is no strict execution sequence between S302 and S303, and they can be exchanged.
第一令牌请求用于获取第三NF提供的网络功能服务的调用权限。例如,请求获取第一NF是否具有向第三NF发送订阅请求的权限,或者说第一NF是否具有代理第二NF向第三NF订阅网络功能服务的权限。The first token request is used to obtain the calling authority of the network function service provided by the third NF. For example, it is requested to obtain whether the first NF has the authority to send a subscription request to the third NF, or whether the first NF has the authority to subscribe network function services to the third NF on behalf of the second NF.
第二令牌请求用于获取第三NF提供的网络功能服务的调用权限。例如,请求获取第二NF是否具有接收第三NF提供的网络功能服务的权限。The second token request is used to obtain the calling authority of the network function service provided by the third NF. For example, it is requested to obtain whether the second NF has the authority to receive the network function service provided by the third NF.
类似图2的实施例,可选的,在S301之前还包括S300。Similar to the embodiment in FIG. 2, optionally, S300 is further included before S301.
S300、同S200。S300, same as S200.
S304、NRF基于接收到的第一令牌请求,判断第一NF是否具有代理第二NF向第三NF订阅网络功能服务的权限,若是,则生成第一令牌;S304. Based on the received first token request, the NRF determines whether the first NF has the authority to subscribe to the third NF for the network function service on behalf of the second NF, and if so, generates the first token;
NRF基于接收到的第二令牌请求,判断第二NF是否具有接收第三NF提供的网络功能服务的权限,若是,则生成第二令牌。The NRF determines whether the second NF has the authority to receive the network function service provided by the third NF based on the received second token request, and if so, generates the second token.
可选的,NRF从第一NF接收的第一令牌请求中还可以携带一个指示信息,该指示信息用于指示第一NF代理第二NF向第三NF订阅网络功能服务。Optionally, the first token request received by the NRF from the first NF may also carry an indication information, and the indication information is used to instruct the first NF to subscribe for the network function service from the third NF on behalf of the second NF.
可选的,NRF从第二NF接收的第二令牌请求中还可以携带一个指示信息,该指示信息用于指示第一NF代理第二NF向第三NF订阅网络功能服务。Optionally, the second token request received by the NRF from the second NF may also carry an indication information, and the indication information is used to instruct the first NF to subscribe to the third NF for the network function service on behalf of the second NF.
NRF确定当前第一NF请求的是代理订阅场景下的令牌。具体的,NRF可以根据第一令牌请求和/或第二令牌请求的服务调用名称确定,此处的令牌请求的服务调用名称区别于现有技术里的令牌请求的服务调用名称;或者,NRF根据第一令牌请求和/或第二令牌请求中携带的指示信息确定;或者NRF根据其他方式确定当前第一NF请求的是代理订阅场景下的令牌。NRF determines that the current first NF request is the token in the proxy subscription scenario. Specifically, the NRF may be determined according to the service call name of the first token request and/or the second token request, where the service call name of the token request is different from the service call name of the token request in the prior art; Alternatively, the NRF is determined according to the indication information carried in the first token request and/or the second token request; or the NRF determines according to other methods that the current first NF request is a token in the proxy subscription scenario.
具体的,NRF可以根据第一令牌请求中携带第一NF的标识、服务提供者(即第三NF)的标识或类型,和/或第一令牌请求中的其他信息,结合本地配置的策略或者授权信息来判断权限,即判断第一NF是否具有代理第二NF向第三NF订阅网络功能服务的权限。若判断第一NF具有代理第二NF向第三NF订阅网络功能服务的权限,则NRF生成第一令牌。Specifically, the NRF may carry the identification of the first NF in the first token request, the identification or type of the service provider (that is, the third NF), and/or other information in the first token request in combination with locally configured Policy or authorization information to determine the authority, that is, to determine whether the first NF has the authority to subscribe to the third NF for network function services on behalf of the second NF. If it is determined that the first NF has the authority to subscribe to the network function service from the third NF on behalf of the second NF, the NRF generates the first token.
所述第一令牌中包含第一NF和第二NF的标识,具体的NF标识可以是NF Instance ID,和/或NF的URI,和/或者其他形式的能够唯一标识NF的ID或地址信息。所述令牌中还可以包含事件标识(Event ID(s)),和/或事件列表(Event List),和/或订阅更改通知统一资源标识(Subscription Change Notification Uniform Resource Identifier),和/或订阅更改通知相关统一资源标识(Subscription Change Notification Correlation ID),和/或订阅永久标识(Subscription Permanent Identifier,SUPI),和/或组标识(Group ID),和/或通用公共订阅标识(Generic Public Subscription Identifier,GPSI),和/或永久设备标识 (Permanent Equipment Identifier,PEI),和/或其他授权和令牌生成所需的参数。The first token contains the identifiers of the first NF and the second NF. The specific NF identifier may be the NF Instance ID, and/or the URI of the NF, and/or other forms of ID or address information that can uniquely identify the NF . The token may also include an event ID (Event ID(s)), and/or an event list (Event List), and/or a subscription change notification uniform resource identifier (Subscription Change Notification Uniform Resource Identifier), and/or subscription Change Notification Correlation ID (Subscription Change Notification Correlation ID), and/or Subscription Permanent Identifier (SUPI), and/or Group ID (Group ID), and/or General Public Subscription Identifier (Generic Public Subscription Identifier) , GPSI), and/or Permanent Equipment Identifier (PEI), and/or other parameters required for authorization and token generation.
NRF也可以根据第二令牌请求中携带第二NF的标识、服务提供者(即第三NF)的标识和/或类型,和/或第二令牌请求中的其他信息,结合本地配置的策略或者授权信息来判断权限,即判断第二NF是否具有接收第三NF提供的网络功能服务的权限。若判断第二NF具有接收第三NF提供的网络功能服务的权限,则NRF生成第二令牌。The NRF can also combine the local configuration based on the identity of the second NF carried in the second token request, the identity and/or type of the service provider (that is, the third NF), and/or other information in the second token request. Policy or authorization information to determine the authority, that is, determine whether the second NF has the authority to receive the network function service provided by the third NF. If it is determined that the second NF has the authority to receive the network function service provided by the third NF, the NRF generates a second token.
所述第二令牌中包含第二NF的标识,具体的NF标识可以是NF Instance ID,和/或NF的URI,和/或者其他形式的能够唯一标识NF的ID或地址信息。所述令牌中还可以包含事件标识(Event ID(s)),和/或事件列表(Event List),和/或订阅更改通知统一资源标识(Subscription Change Notification Uniform Resource Identifier),和/或订阅更改通知相关统一资源标识(Subscription Change Notification Correlation ID),和/或订阅永久标识(Subscription Permanent Identifier,SUPI),和/或组标识(Group ID),和/或通用公共订阅标识(Generic Public Subscription Identifier,GPSI),和/或永久设备标识(Permanent Equipment Identifier,PEI),和/或其他授权和令牌生成所需的参数。The second token includes the identification of the second NF. The specific NF identification may be the NF Instance ID, and/or the URI of the NF, and/or other forms of ID or address information that can uniquely identify the NF. The token may also include an event ID (Event ID(s)), and/or an event list (Event List), and/or a subscription change notification uniform resource identifier (Subscription Change Notification Uniform Resource Identifier), and/or subscription Change Notification Correlation ID (Subscription Change Notification Correlation ID), and/or Subscription Permanent Identifier (SUPI), and/or Group ID (Group ID), and/or General Public Subscription Identifier (Generic Public Subscription Identifier) , GPSI), and/or Permanent Equipment Identifier (PEI), and/or other parameters required for authorization and token generation.
以上第一令牌和第二令牌中如何携带NF的标识和令牌中的其他信息请参看S202的相关描述。For how to carry the NF identifier and other information in the token in the above first token and second token, please refer to the relevant description of S202.
NRF在生成第一令牌和第二令牌后,执行S305。After the NRF generates the first token and the second token, S305 is executed.
若判定第二NF不具有接收第三NF提供的网络功能服务的权限,或者判定第一NF不具有代理第二NF向第三NF订阅网络功能服务的权限,或者判定第二NF不具有接收第三NF提供的网络功能服务的权限、且判定第一NF不具有代理第二NF向第三NF订阅网络功能服务的权限时,则NRF结束流程,NRF也可以向第一NF发送消息来指示判定结果。If it is determined that the second NF does not have the authority to receive network function services provided by the third NF, or it is determined that the first NF does not have the authority to subscribe network function services to the third NF on behalf of the second NF, or it is determined that the second NF does not have the authority to receive network function services from the third NF. When the third NF has the authority to provide network function services, and it is determined that the first NF does not have the authority to subscribe to the third NF on behalf of the second NF, the NRF ends the process, and the NRF may also send a message to the first NF to indicate the determination result.
S305、NRF向第一NF发送令牌响应,第一NF从NRF接收该令牌响应。S305. The NRF sends a token response to the first NF, and the first NF receives the token response from the NRF.
该令牌响应中携带第一令牌和第二令牌。因为NRF已知第一NF代理第二NF向第三NF订阅网络功能服务,因此NRF向第一NF发送令牌响应即可。令牌响应中还可携带第一NF的标识和第二NF的标识。The token response carries the first token and the second token. Because the NRF knows that the first NF acts as a proxy for the second NF to subscribe to the third NF for network function services, the NRF only needs to send a token response to the first NF. The token response may also carry the identity of the first NF and the identity of the second NF.
通过S301~S305,NRF可以判断代理订阅的权限,提高代理订阅的安全性。Through S301~S305, NRF can determine the authority of agent subscription and improve the security of agent subscription.
在S305之后,还可以包括以下步骤。After S305, the following steps may also be included.
S306、第一NF向第三NF发送订阅请求(subscribe request),第三NF从第一NF接收订阅请求。S306: The first NF sends a subscription request (subscribe request) to the third NF, and the third NF receives the subscription request from the first NF.
该订阅请求用于第一NF请求代理第二NF向第三NF订阅网络功能服务。该订阅请求中包括第一令牌和第二令牌,订阅请求中包含的其他参数请参看S204的相关描述。The subscription request is used by the first NF to request the proxy of the second NF to subscribe to the network function service from the third NF. The subscription request includes the first token and the second token. For other parameters included in the subscription request, please refer to the relevant description of S204.
具体的,第一NF根据NRF发送的令牌响应确定该第一NF具有代理第二NF向第三NF订阅网络功能服务的权限,则向第三NF发送订阅请求。Specifically, according to the token response sent by the NRF, the first NF determines that the first NF has the authority to subscribe the network function service to the third NF on behalf of the second NF, and then sends a subscription request to the third NF.
S307、第三NF对订阅请求中包含的第一令牌和第二令牌进行校验,若校验均成功,则执行S308;否则第三NF结束流程,或者向第一NF回复订阅响应,订阅响应中包含订阅失败,或者令牌校验失败信息,或者其他表示流程失败的信息。S307. The third NF verifies the first token and the second token contained in the subscription request, and if the verification is successful, execute S308; otherwise, the third NF terminates the process, or replies a subscription response to the first NF, The subscription response contains the subscription failure, or token verification failure information, or other information indicating the failure of the process.
若校验第一令牌成功,则确定第一NF具有代理第二NF向第三NF订阅网络功能服务的权限;若校验第二令牌成功,则确定第二NF具有接收第三NF提供的网络功能服务的权限。If the verification of the first token is successful, it is determined that the first NF has the authority to subscribe to the third NF for network function services on behalf of the second NF; The permission of the network function service.
令牌校验内容和方式可以参数图2所示的实施例的描述,在此不再赘述。The content and manner of token verification can be a parameter of the description of the embodiment shown in FIG. 2, which will not be repeated here.
类似的,可选的,第三NF可以通过NRF对令牌进行校验。具体的,第三NF在收到订阅请求后,向NRF发送校验请求,NRF从第三NF接收校验请求,对校验请求中包含的第一令牌和第二令牌进行校验。NRF向第三NF回复校验结果。若校验成功,则第三NF执行S308,否则第三NF结束流程,或者向第一NF回复订阅响应,订阅响应中包含订阅失败,或者令牌校验失败信息,或者其他表示流程失败的信息。Similarly, optionally, the third NF can verify the token through NRF. Specifically, after receiving the subscription request, the third NF sends a verification request to the NRF, and the NRF receives the verification request from the third NF, and verifies the first token and the second token included in the verification request. The NRF replies the verification result to the third NF. If the verification is successful, the third NF executes S308, otherwise the third NF ends the process, or replies a subscription response to the first NF, the subscription response contains the subscription failure, or token verification failure information, or other information indicating that the process failed .
第三NF通过NRF对令牌进行校验的过程可以代替S307。The process of verifying the token by the third NF through the NRF can replace S307.
S308~S310的描述同S206~S208,在此不再赘述。The description of S308 to S310 is the same as that of S206 to S208, and will not be repeated here.
代理订阅的授权方法之二还可以适用于漫游场景。在漫游场景下,各NF位于两个不同的PLMN。NF之间的交互通过为其服务的SCP转发。第一NF发送的第一令牌请求由第一NF所在PLMN内的NRF转发给第三NF所在PLMN内的NRF。第二NF发送的第二令牌请求由第二NF所在PLMN内的NRF转发给第三NF所在PLMN内的NRF。第三NF所在PLMN内的NRF发送的令牌响应由第一NF所在PLMN内的NRF转发给第一NF。令牌的产生和授权由第三NF所在PLMN内的NRF完成。在第三NF可以通过NRF对令牌进行校验的方式下令牌校验也是由第三NF所在PLMN内的NRF完成。其它处理过程与代理订阅的授权方法之二中描述相同。The second authorization method for proxy subscription can also be applied to roaming scenarios. In the roaming scenario, each NF is located in two different PLMNs. The interaction between NFs is forwarded through the SCP serving it. The first token request sent by the first NF is forwarded by the NRF in the PLMN where the first NF is located to the NRF in the PLMN where the third NF is located. The second token request sent by the second NF is forwarded by the NRF in the PLMN where the second NF is located to the NRF in the PLMN where the third NF is located. The token response sent by the NRF in the PLMN where the third NF is located is forwarded to the first NF by the NRF in the PLMN where the first NF is located. The generation and authorization of the token is completed by the NRF in the PLMN where the third NF is located. In the way that the third NF can verify the token through the NRF, the token verification is also completed by the NRF in the PLMN where the third NF is located. Other processing procedures are the same as those described in the second authorization method for proxy subscription.
基于同一发明构思,本申请实施例提供了代理订阅的授权方法之三。以下描述的代理订阅的授权方法之三基于三个网络功能之间的交互。三个网络功能包括第一NF、第二NF和第三NF。Based on the same inventive concept, the embodiment of this application provides the third method for authorization of proxy subscription. The third method of authorization for proxy subscription described below is based on the interaction between three network functions. The three network functions include a first NF, a second NF, and a third NF.
如图4所示,本申请实施例提供的代理订阅的授权方法之三的流程如下所述。As shown in FIG. 4, the process of the third method for authorizing proxy subscription provided by the embodiment of the present application is as follows.
S401、第一NF向第三NF发送订阅请求(subscribe request),第三NF从第一NF接收订阅请求。S401: The first NF sends a subscription request (subscribe request) to the third NF, and the third NF receives the subscription request from the first NF.
该订阅请求用于第一NF请求代理第二NF向第三NF订阅网络功能服务。该订阅请求中携带第一NF的标识和第二NF的标识,订阅请求中包含的其他参数请参照S204的相关描述。The subscription request is used by the first NF to request the proxy of the second NF to subscribe to the third NF for network function services. The subscription request carries the identification of the first NF and the identification of the second NF. For other parameters included in the subscription request, please refer to the relevant description of S204.
可选的,在S401之前还包括S400。Optionally, S400 is further included before S401.
S400、第二NF向第一NF发送NF信息,第一NF从第二NF接收NF信息。S400. The second NF sends NF information to the first NF, and the first NF receives the NF information from the second NF.
该NF信息包括第二NF的标识。例如第二NF的实例标识(instance ID)和/或统一资源标识(URI)。若第一NF已经配置或存储了第二NF的信息,则不需要执行S400。The NF information includes the identification of the second NF. For example, the instance ID and/or uniform resource identifier (URI) of the second NF. If the first NF has already configured or stored the information of the second NF, S400 does not need to be executed.
可选的,所述NF信息还包括事件标识(Event ID(s)),和/或事件列表(Event List),和/或订阅更改通知统一资源标识(Subscription Change Notification Uniform Resource Identifier),和/或订阅更改通知相关统一资源标识(Subscription Change Notification Correlation ID),和/或订阅永久标识(Subscription Permanent Identifier,SUPI),和/或组标识(Group ID),和/或通用公共订阅标识(Generic Public Subscription Identifier,GPSI),和/或永久设备标识(Permanent Equipment Identifier,PEI)。Optionally, the NF information further includes an event identifier (Event ID(s)), and/or an event list (Event List), and/or a subscription change notification uniform resource identifier (Subscription Change Notification Uniform Resource Identifier), and/ Or subscription change notification related uniform resource identifier (Subscription Change Notification Correlation ID), and/or subscription permanent identifier (Subscription Permanent Identifier, SUPI), and/or group identifier (Group ID), and/or general public subscription identifier (Generic Public Subscription Identifier, GPSI), and/or Permanent Equipment Identifier (PEI).
通过S400,第一NF能够获取第二NF的信息,S401中订阅请求中携带的第二NF的标识可以来源于S400,也可以是第一NF预先配置或存储的。Through S400, the first NF can obtain the information of the second NF. The identification of the second NF carried in the subscription request in S401 may be derived from S400, or may be pre-configured or stored by the first NF.
S402、第三NF基于接收到的订阅请求,执行授权。S402. The third NF performs authorization based on the received subscription request.
执行的授权操作包括:判断第一NF是否具有代理第二NF向第三NF订阅网络功能服务的权限,以及判断第二NF是否具有接收第三NF提供的网络功能服务的权限。The authorization operation performed includes: determining whether the first NF has the authority to subscribe network function services to the third NF on behalf of the second NF, and determining whether the second NF has the authority to receive network function services provided by the third NF.
判断权限的方法例如可以是,第三NF可以根据订阅请求中携带的第一NF的标识、 第二NF的标识、服务提供者的类型等信息,结合本地配置的策略或者授权信息来判断权限。The method for determining the authority may be, for example, that the third NF may determine the authority based on information such as the identity of the first NF, the identity of the second NF, and the type of service provider carried in the subscription request, combined with locally configured policies or authorization information.
第三NF若判定第二NF具有接收第三NF提供的网络功能服务的权限,则执行S403,或者,第三NF判定第二NF具有接收第三NF提供的网络功能服务的权限,且第一NF具有代理第二NF向第三NF订阅网络功能服务的权限,则执行S403。If the third NF determines that the second NF has the right to receive the network function service provided by the third NF, S403 is executed, or the third NF determines that the second NF has the right to receive the network function service provided by the third NF, and the first If the NF has the authority to subscribe to the network function service from the third NF on behalf of the second NF, then S403 is executed.
若判定第二NF不具有接收第三NF提供的网络功能服务的权限,或者判定第一NF不具有代理第二NF向第三NF订阅网络功能服务的权限,或者判定第二NF不具有接收第三NF提供的网络功能服务的权限、且判定第一NF不具有代理第二NF向第三NF订阅网络功能服务的权限时,则第三NF结束流程,第三NF也可以向第一NF发送消息来指示判定结果。If it is determined that the second NF does not have the authority to receive network function services provided by the third NF, or it is determined that the first NF does not have the authority to subscribe network function services to the third NF on behalf of the second NF, or it is determined that the second NF does not have the authority to receive network function services from the third NF. When the third NF has the authority to provide network function services, and it is determined that the first NF does not have the authority to subscribe to the third NF on behalf of the second NF, the third NF ends the process, and the third NF may also send to the first NF Message to indicate the determination result.
S403、第三NF向第二NF发送授权通知,第二NF从第三NF接收授权通知。S403. The third NF sends an authorization notification to the second NF, and the second NF receives the authorization notification from the third NF.
该授权通知中携带授权结果,该授权通知用于指示第二NF具有接收第三NF提供的网络功能服务的权限。第二NF可以保存该授权通知中的授权结果。The authorization notification carries the authorization result, and the authorization notification is used to indicate that the second NF has the right to receive the network function service provided by the third NF. The second NF can save the authorization result in the authorization notification.
S404、第三NF向第一NF发送订阅响应(subscribe response),第一NF从第三NF接收该订阅响应。S404. The third NF sends a subscription response (subscribe response) to the first NF, and the first NF receives the subscription response from the third NF.
该订阅响应可以携带授权结果,用于指示第一NF具有代理第二NF向第三NF订阅网络功能服务的权限。The subscription response may carry the authorization result, which is used to indicate that the first NF has the authority to subscribe to the third NF for the network function service from the second NF.
可选的,若不执行S403,则第三NF还可以在该订阅响应中携带授权结果,授权结果中包括:第一NF具有代理第二NF向第三NF订阅网络功能服务的权限,以及第二NF是否具有接收第三NF提供的网络功能服务的权限。第一NF根据订阅响应中携带的授权结果,确定授权成功。进一步的,第一NF还可以将该授权结果通知给第二NF。当然,在执行S403的情况下,也可以包括这些操作。Optionally, if S403 is not performed, the third NF may also carry the authorization result in the subscription response. The authorization result includes: the first NF has the authority to subscribe to the third NF for network function services on behalf of the second NF, and the first NF The second NF has the authority to receive the network function service provided by the third NF. The first NF determines that the authorization is successful according to the authorization result carried in the subscription response. Further, the first NF may also notify the second NF of the authorization result. Of course, in the case of performing S403, these operations may also be included.
S403和S404没有严格的执行顺序,可以交换顺序来执行。S403 and S404 do not have a strict execution order and can be executed in an exchange order.
S405、第三NF根据订阅的网络功能服务,向第二NF提供网络功能服务。S405. The third NF provides network function services to the second NF according to the subscribed network function services.
具体的,在满足订阅条件时,第三NF向第二NF发送通知(notify),该通知中包括第三NF提供的网络功能服务。Specifically, when the subscription condition is met, the third NF sends a notification (notify) to the second NF, and the notification includes the network function service provided by the third NF.
可选的,由于第一NF代理第二NF向第三NF进行服务订阅的,因此第三NF还可以向第一NF发送通知,在通知中携带服务的修改或取消订阅等信息。Optionally, since the first NF performs service subscription to the third NF on behalf of the second NF, the third NF may also send a notification to the first NF, and the notification carries information such as service modification or unsubscription.
代理订阅的授权方法之三还可以适用于漫游场景。在漫游场景下,各NF位于两个不同的PLMN。其它处理过程与代理订阅的授权方法之三中描述相同。The third authorization method for proxy subscription can also be applied to roaming scenarios. In the roaming scenario, each NF is located in two different PLMNs. Other processing procedures are the same as those described in the third authorization method for proxy subscription.
通过第三NF在接收到代理订阅请求后判断权限,能够保证代理订阅中的安全性。The third NF determines the authority after receiving the proxy subscription request, which can ensure the security of the proxy subscription.
基于同一发明构思,本申请实施例提供了代理订阅的授权方法之四、代理订阅的授权方法之五和代理订阅的授权方法之六。以下描述的代理订阅的授权方法之四、代理订阅的授权方法之五和代理订阅的授权方法之六均基于五个网络功能之间的交互。五个网络功能包括第一NF、第二NF、第三NF、NRF和SCP。Based on the same inventive concept, the embodiments of the present application provide the fourth method for authorizing proxy subscription, the fifth method for proxy subscription and the sixth method for proxy subscription. The fourth method of authorization for proxy subscription, the fifth method of authorization for proxy subscription, and the sixth method of authorization for proxy subscription described below are all based on the interaction between five network functions. The five network functions include the first NF, the second NF, the third NF, NRF and SCP.
其中,SCP用于在NF之间起到服务调用转发的作用,或者SCP可以单独完成请求服务的授权,或者SCP可以与NRF共同合作完成请求服务的授权。Among them, SCP is used to play the role of service call forwarding between NFs, or SCP can independently complete the authorization of requesting services, or SCP can cooperate with NRF to complete the authorization of requesting services.
如图5所示,本申请实施例提供的代理订阅的授权方法之四的流程如下所述。本方法通过令牌来保证代理订阅的安全性。As shown in FIG. 5, the process of the fourth method for authorizing proxy subscription provided by the embodiment of the present application is as follows. This method uses tokens to ensure the security of proxy subscriptions.
S501、第一NF向NRF发送令牌请求,NRF从第一NF接收该令牌请求。S501. The first NF sends a token request to the NRF, and the NRF receives the token request from the first NF.
本步骤同S201,细节描述可参照S201,在此不再赘述。This step is the same as S201, and the detailed description can refer to S201, which will not be repeated here.
可选的,在S501之前还包括S500。Optionally, S500 is also included before S501.
S500、第二NF向第一NF发送NF信息,第一NF从第二NF接收NF信息。S500. The second NF sends NF information to the first NF, and the first NF receives the NF information from the second NF.
本步骤同S200,细节描述可参照S200,在此不再赘述。This step is the same as S200, and the detailed description can refer to S200, which will not be repeated here.
S502、NRF基于接收到的令牌请求,判断第二NF是否具有接收第三NF提供的网络功能服务的权限。S502. The NRF determines whether the second NF has the authority to receive the network function service provided by the third NF based on the received token request.
本步骤同S202,细节描述可参照S202,在此不再赘述。This step is the same as S202. For detailed description, please refer to S202, which will not be repeated here.
S503、NRF向第一NF发送令牌响应,第一NF从NRF接收令牌响应。S503. The NRF sends a token response to the first NF, and the first NF receives the token response from the NRF.
本步骤同S203,细节描述可参照S203,在此不再赘述。This step is the same as S203. For detailed description, please refer to S203, which will not be repeated here.
S501~S503的描述与S201~S203的描述相同,可以参考代理订阅的授权方法之一的相关描述。The description of S501 to S503 is the same as the description of S201 to S203, and you can refer to the related description of one of the authorization methods for proxy subscription.
在S503之后,还可以包括以下步骤。After S503, the following steps may also be included.
S504、第一NF向SCP发送订阅请求(subscribe request),SCP从第一NF接收订阅请求。S504. The first NF sends a subscription request (subscribe request) to the SCP, and the SCP receives the subscription request from the first NF.
该订阅请求用于第一NF请求代理第二NF向第三NF订阅网络功能服务。该订阅请求中包括上述令牌,所属订阅请求中包含的其他信息参看S204中的相关描述。The subscription request is used by the first NF to request the proxy of the second NF to subscribe to the network function service from the third NF. The subscription request includes the above token. For other information included in the subscription request, refer to the relevant description in S204.
S505、SCP对订阅请求中包含的令牌进行校验,若校验成功,则执行S508;否则若校验失败,SCP结束流程,或者向第一NF回复订阅响应,订阅响应中包含订阅失败,或者令牌校验失败信息,或者其他表示流程失败的信息。S505. The SCP verifies the token included in the subscription request, and if the verification succeeds, then executes S508; otherwise, if the verification fails, the SCP ends the process, or replies to the first NF with a subscription response, and the subscription response contains subscription failure. Or token verification failure information, or other information indicating process failure.
若校验成功,则SCP确定第一NF具有代理第二NF向第三NF订阅网络功能服务的权限,以及确定第二NF具有接收第三NF提供的网络功能服务的权限。If the verification is successful, the SCP determines that the first NF has the authority to subscribe to the network function service from the third NF on behalf of the second NF, and that the second NF has the authority to receive the network function service provided by the third NF.
其中,校验包括以下一项或多项:对令牌进行完整性校验、校验令牌是否用于指示第二NF具有接收第三NF提供的网络功能服务的权限、校验令牌的有效性。当任意一项校验不成功时校验失败,当所有校验成功时校验成功。具体的,需要校验订阅请求中是否包含第三NF的标识。还需要校验令牌中audience claim中包含的服务提供者(service producer)的标识和/或类型是否与SCP查询到的第三NF的标识和/或类型相同,具体的,SCP可以根据本地配置的信息查询得到第三NF的标识,也可以根据从NRF获取的信息查询得到第三NF的标识。还可以校验第三NF是否能够提供订阅的网络功能服务。例如,第三NF能够提供的网络功能服务包括服务1、服务2和服务3,但是令牌指示授权的服务为服务4,则校验失败。令牌具有有效期,当令牌在有效期内时,才具有有效性,超过有效期,则令牌失效。只有令牌在有效期内时校验才成功。还可以校验令牌中包含的信息与订阅请求中相应的信息是否一致。Wherein, the verification includes one or more of the following: integrity verification of the token, verification of whether the token is used to indicate that the second NF has the right to receive network function services provided by the third NF, and the verification of the token Effectiveness. The verification fails when any one of the verifications is unsuccessful, and the verification succeeds when all verifications are successful. Specifically, it is necessary to check whether the subscription request contains the identity of the third NF. It is also necessary to verify whether the identity and/or type of the service producer (service producer) contained in the audience claim in the token is the same as the identity and/or type of the third NF queried by the SCP. Specifically, the SCP can be configured according to the local configuration. The identity of the third NF can be obtained by querying the information of the third NF, and the identity of the third NF can also be obtained by querying the information obtained from the NRF. It can also verify whether the third NF can provide the subscribed network function service. For example, the network function services that the third NF can provide include service 1, service 2, and service 3. However, if the token indicates that the authorized service is service 4, the verification fails. The token has a validity period. When the token is within the validity period, it is valid. After the validity period, the token becomes invalid. The verification succeeds only when the token is within the validity period. It can also verify whether the information contained in the token is consistent with the corresponding information in the subscription request.
类似代理订阅的授权方法之一,可选的,SCP还可以通过NRF对令牌进行校验。具体的,SCP在收到订阅请求后,向NRF发送校验请求,NRF从SCP接收校验请求,对校验请求中包含的令牌进行校验。NRF向SCP返回校验结果。若校验成功,则SCP执行S508;否则SCP结束流程,或者向第一NF回复订阅响应,订阅响应中包含订阅失败,或者令牌校验失败信息,或者其他表示流程失败的信息。One of the authorization methods similar to proxy subscription. Optionally, SCP can also verify the token through NRF. Specifically, after receiving the subscription request, the SCP sends a verification request to the NRF, and the NRF receives the verification request from the SCP, and verifies the token included in the verification request. NRF returns the verification result to SCP. If the verification is successful, the SCP executes S508; otherwise, the SCP ends the process, or replies a subscription response to the first NF. The subscription response includes subscription failure, or token verification failure information, or other information indicating process failure.
通过NRF对令牌进行校的过程可以代替S507。The process of calibrating the token through NRF can replace S507.
S506、SCP向第二NF发送授权通知,第二NF从SCP接收授权通知。S506. The SCP sends an authorization notification to the second NF, and the second NF receives the authorization notification from the SCP.
该授权通知中携带授权结果,该授权通知用于指示第二NF具有接收第三NF提供的 网络功能服务的权限。第二NF可以保存该授权通知中的授权结果。The authorization notification carries the authorization result, and the authorization notification is used to indicate that the second NF has the right to receive the network function service provided by the third NF. The second NF can save the authorization result in the authorization notification.
或者,该授权通知中也可以包含令牌。第二NF通过该令牌得知授权结果。即第二NF根据令牌得知第二NF是否具有接收第三NF提供的网络功能服务的权限,还可以得知第一NF具有代理第二NF向第三NF订阅网络功能服务的权限。Alternatively, the authorization notification may also include a token. The second NF learns the authorization result through the token. That is, the second NF learns from the token whether the second NF has the right to receive the network function service provided by the third NF, and it can also be known that the first NF has the right to subscribe to the third NF for the network function service on behalf of the second NF.
S507、SCP向第三NF发送订阅请求,第三NF从SCP接收该订阅请求。S507. The SCP sends a subscription request to the third NF, and the third NF receives the subscription request from the SCP.
该订阅请求中携带从第一NF接收到的订阅请求中携带的除令牌之外的信息,还可以携带校验结果。该校验结果用于指示令牌校验是否成功。或者用于指示授权结果,即指示第二NF是否具有接收第三NF提供的网络功能服务的权限,以及第一NF是否具有代理第二NF向第三NF订阅网络功能服务的权限。The subscription request carries the information other than the token carried in the subscription request received from the first NF, and may also carry the verification result. The verification result is used to indicate whether the token verification is successful. Or it is used to indicate the authorization result, that is, whether the second NF has the authority to receive network function services provided by the third NF, and whether the first NF has the authority to subscribe network function services to the third NF on behalf of the second NF.
S506与S507之间没有严格的执行顺序,可以交换顺序。There is no strict execution order between S506 and S507, and the order can be exchanged.
S508、第三NF向SCP返回订阅响应,SCP从第三NF接收订阅响应。S508. The third NF returns a subscription response to the SCP, and the SCP receives the subscription response from the third NF.
S509、SCP向第一NF发送订阅响应,第一NF从SCP接收订阅响应。S509. The SCP sends a subscription response to the first NF, and the first NF receives the subscription response from the SCP.
该订阅响应可以携带授权结果,用于指示第一NF是否具有代理第二NF向第三NF订阅网络功能服务的权限以及第二NF是否具有接收第三NF提供的网络功能服务的权限。在SCP校验令牌成功时,授权结果为是,在SCP校验令牌不成功时,授权结果为否。其中,授权结果为是,包括第一NF具有代理第二NF向第三NF订阅网络功能服务的权限,和/或,第二NF具有接收第三NF提供的网络功能服务的权限。授权结果为否,包括第一NF不具有代理第二NF向第三NF订阅网络功能服务的权限,和/或,第二NF不具有接收第三NF提供的网络功能服务的权限。The subscription response may carry the authorization result, which is used to indicate whether the first NF has the authority to subscribe to the third NF for the network function service on behalf of the second NF and whether the second NF has the authority to receive the network function service provided by the third NF. When the SCP verifies the token successfully, the authorization result is yes, and when the SCP verifies the token unsuccessfully, the authorization result is no. The authorization result is that the first NF has the right to subscribe to the third NF for network function services on behalf of the second NF, and/or the second NF has the right to receive network function services provided by the third NF. If the authorization result is no, it includes that the first NF does not have the authority to subscribe network function services to the third NF on behalf of the second NF, and/or the second NF does not have the authority to receive network function services provided by the third NF.
或者,该订阅响应中可以携带令牌。在订阅响应中携带令牌或授权结果的情况下,可以进一步的通过第一NF向第二NF发送该令牌或授权结果,并省略S506。Alternatively, the subscription response may carry the token. In the case that the token or authorization result is carried in the subscription response, the token or authorization result may be further sent to the second NF through the first NF, and S506 is omitted.
S510、第三NF根据订阅的网络功能服务,向第二NF提供网络功能服务。S510. The third NF provides network function services to the second NF according to the subscribed network function services.
具体的,在满足订阅条件时,第三NF向第二NF发送通知(notify),该通知中包括第三NF提供的网络功能服务。Specifically, when the subscription condition is met, the third NF sends a notification (notify) to the second NF, and the notification includes the network function service provided by the third NF.
可选的,由于第一NF代理第三NF进行服务订阅的,因此第三NF还可以通过SCP向第一NF发送通知,在通知中携带服务的修改或取消订阅等信息。具体的,第三NF向SCP发送通知,SCP向第一NF转发该通知。Optionally, since the first NF performs service subscription on behalf of the third NF, the third NF may also send a notification to the first NF through the SCP, and the notification carries information such as service modification or unsubscription. Specifically, the third NF sends a notification to the SCP, and the SCP forwards the notification to the first NF.
代理订阅的授权方法之四还可以适用于漫游场景。在漫游场景下,各NF位于两个不同的PLMN。NF之间的交互通过为其服务的SCP转发。第一NF发送的令牌请求由第一NF所在PLMN内的NRF转发给第三NF所在PLMN内的NRF。第三NF所在PLMN内的NRF发送的令牌响应由第一NF所在PLMN内的NRF转发给第一NF。令牌的产生和授权由第三NF所在PLMN内的NRF完成。在第三NF可以通过NRF对令牌进行校验的方式下令牌校验也是由NF_B所在PLMN内的NRF完成。令牌的校验由为第三NF服务的SCP完成。其它处理过程与代理订阅的授权方法之四中描述相同。The fourth authorization method for proxy subscription can also be applied to roaming scenarios. In the roaming scenario, each NF is located in two different PLMNs. The interaction between NFs is forwarded through the SCP serving it. The token request sent by the first NF is forwarded by the NRF in the PLMN where the first NF is located to the NRF in the PLMN where the third NF is located. The token response sent by the NRF in the PLMN where the third NF is located is forwarded to the first NF by the NRF in the PLMN where the first NF is located. The generation and authorization of the token is completed by the NRF in the PLMN where the third NF is located. In the way that the third NF can verify the token through the NRF, the token verification is also completed by the NRF in the PLMN where the NF_B is located. The verification of the token is completed by the SCP serving the third NF. Other processing procedures are the same as those described in the fourth authorization method for proxy subscription.
通过代理订阅的授权方法之四,实现在SCP的系统架构中,通过NRF判断权限,并由SCP进行令牌的校验,提高代理订阅的安全性。Through the fourth authorization method of proxy subscription, in the SCP system architecture, the authority is judged by NRF, and the token is verified by SCP to improve the security of proxy subscription.
如图6所示,本申请实施例提供的代理订阅的授权方法之五的流程如下所述。本方法通过两个令牌来分别指示第一NF和第三NF的权限,以提高代理订阅过程的安全性。As shown in FIG. 6, the flow of the fifth method for authorizing proxy subscription provided by the embodiment of the present application is as follows. This method uses two tokens to indicate the authority of the first NF and the third NF respectively, so as to improve the security of the agent subscription process.
S601、第一NF向SCP发送通知消息,SCP从第一NF接收通知消息。S601. The first NF sends a notification message to the SCP, and the SCP receives the notification message from the first NF.
S602、SCP向第二NF转发该通知消息,第二NF从SCP接收该通知消息。S602. The SCP forwards the notification message to the second NF, and the second NF receives the notification message from the SCP.
该通知消息用于指示第二NF请求令牌。例如,指示第二NF向NRF发送令牌请求,以获取令牌。该通知消息中可以携带以下信息:The notification message is used to instruct the second NF to request a token. For example, instruct the second NF to send a token request to the NRF to obtain the token. The notification message can carry the following information:
第一NF的标识,例如第一NF的instance ID和/或URI。该通知中还携带服务提供者(service producer)的类型和/或服务提供者(service producer)的标识和/或类型,本实施例中服务提供者为第三NF。该通知中还携带其他授权和令牌生成所需的参数。The identity of the first NF, such as the instance ID and/or URI of the first NF. The notification also carries the type of service producer and/or the identifier and/or type of the service producer. In this embodiment, the service provider is the third NF. The notification also carries other parameters required for authorization and token generation.
可选的,所述通知消息还包括事件标识(Event ID(s)),和/或事件列表(Event List),和/或订阅更改通知统一资源标识(Subscription Change Notification Uniform Resource Identifier),和/或订阅更改通知相关统一资源标识(Subscription Change Notification Correlation ID),和/或订阅永久标识(Subscription Permanent Identifier,SUPI),和/或组标识(Group ID),和/或通用公共订阅标识(Generic Public Subscription Identifier,GPSI),和/或永久设备标识(Permanent Equipment Identifier,PEI)。Optionally, the notification message further includes an event ID (Event ID(s)), and/or an event list (Event List), and/or a subscription change notification uniform resource identifier (Subscription Change Notification Uniform Resource Identifier), and/ Or subscription change notification related uniform resource identifier (Subscription Change Notification Correlation ID), and/or subscription permanent identifier (Subscription Permanent Identifier, SUPI), and/or group identifier (Group ID), and/or general public subscription identifier (Generic Public Subscription Identifier, GPSI), and/or Permanent Equipment Identifier (PEI).
S603、第二NF向NRF发送令牌请求,NRF从第二NF接收令牌请求。S603. The second NF sends a token request to the NRF, and the NRF receives the token request from the second NF.
该令牌请求中用于请求执行授权,该执行授权的过程包括:判断第二NF是否具有接收第三NF提供的网络功能服务的权限。该令牌请求中携带服务请求者(service consumerer)的标识,即第二NF的标识。例如携带第二NF的标识,例如第二NF的instance ID和/或URI。该令牌请求中还携带请求订阅的网络功能服务,服务提供者(service producer)的类型和/或服务提供者(service producer)的标识和/或类型,本实施例中服务提供者为第三NF。该通知中还携带其他授权和令牌生成所需的参数,请参看S201中第二令牌请求中包含参数的相关描述,此处不再赘述。The token request is used to request execution authorization, and the execution authorization process includes: judging whether the second NF has the authority to receive the network function service provided by the third NF. The token request carries the identifier of the service consumer (service consumer), that is, the identifier of the second NF. For example, the identifier of the second NF is carried, such as the instance ID and/or URI of the second NF. The token request also carries the network function service for which subscription is requested, the type of service producer and/or the identifier and/or type of service producer. In this embodiment, the service provider is the third party. NF. The notification also carries other parameters required for authorization and token generation. Please refer to the relevant description of the parameters included in the second token request in S201, which will not be repeated here.
S604、第一NF向NRF发送令牌请求,NRF从第一NF接收该令牌请求。S604. The first NF sends a token request to the NRF, and the NRF receives the token request from the first NF.
该令牌请求用于请求执行授权。执行授权的过程包括:判断第一NF是否具有向第三NF发送订阅请求的权限,例如第一NF是否具有代理第二NF向第三NF订阅网络功能服务的权限。该令牌请求中携带服务请求者(service consumerer)的标识,即第一NF的标识,还携带第二NF的标识,表征是代理订阅场景。例如携带第一NF的实例标识(instance ID)和/或统一资源标识(URI),以及第二NF的实例标识(instance ID)和/或统一资源标识(URI)。该令牌请求中还携带请求订阅的网络功能服务,服务提供者(service producer)的类型和/或服务提供者(service producer)的标识和/或类型,本实施例中服务提供者为第三NF。该通知中还携带其他授权和令牌生成所需的参数,请参看S201中第一令牌请求中包含参数的相关描述,此处不再赘述。The token request is used to request execution authorization. The process of performing authorization includes: determining whether the first NF has the authority to send a subscription request to the third NF, for example, whether the first NF has the authority to subscribe to the third NF for network function services on behalf of the second NF. The token request carries the identity of the service consumer (service consumer), that is, the identity of the first NF, and also carries the identity of the second NF, which represents a proxy subscription scenario. For example, it carries the instance ID and/or uniform resource identifier (URI) of the first NF, and the instance ID and/or uniform resource identifier (URI) of the second NF. The token request also carries the network function service for which subscription is requested, the type of service producer and/or the identifier and/or type of service producer. In this embodiment, the service provider is the third party. NF. The notification also carries other parameters required for authorization and token generation. Please refer to the relevant description of the parameters included in the first token request in S201, which will not be repeated here.
为方便区分,第一NF向NRF发送的令牌请求记为第一令牌请求,第二NF向NRF发送的令牌请求记为第二令牌请求。To facilitate the distinction, the token request sent by the first NF to the NRF is recorded as the first token request, and the token request sent by the second NF to the NRF is recorded as the second token request.
可选的,该第一令牌请求和第二令牌请求中均还可以携带一个指示信息,该指示信息用于指示请求代理订阅场景下的令牌。Optionally, both the first token request and the second token request may also carry an indication information, and the indication information is used to indicate the token in the scenario of requesting proxy subscription.
S603和S604之间没有严格的执行顺序,可以交换。There is no strict execution order between S603 and S604, and they can be exchanged.
第一令牌请求用于获取第三NF提供的网络功能服务的调用权限。例如,请求获取第一NF是否具有向第三NF发送订阅请求的权限,或者说第一NF是否具有代理第二NF向第三NF订阅网络功能服务的权限。The first token request is used to obtain the calling authority of the network function service provided by the third NF. For example, it is requested to obtain whether the first NF has the authority to send a subscription request to the third NF, or whether the first NF has the authority to subscribe network function services to the third NF on behalf of the second NF.
第二令牌请求用于获取第三NF提供的网络功能服务的调用权限。例如,请求获取第二NF是否具有接收第三NF提供的网络功能服务的权限。The second token request is used to obtain the calling authority of the network function service provided by the third NF. For example, it is requested to obtain whether the second NF has the authority to receive the network function service provided by the third NF.
可选的,在S601之前还包括S600。Optionally, S600 is also included before S601.
S600、同S200。S600, same as S200.
S605、NRF基于接收到的第一令牌请求,判断第一NF是否具有代理第二NF向第三NF订阅网络功能服务的权限,若是,则生成第一令牌;S605. Based on the received first token request, the NRF determines whether the first NF has the authority to subscribe to the third NF for the network function service on behalf of the second NF, and if so, generates the first token;
NRF基于接收到的第二令牌请求,判断第二NF是否具有接收第三NF提供的网络功能服务的权限,若是,则生成第二令牌。The NRF determines whether the second NF has the authority to receive the network function service provided by the third NF based on the received second token request, and if so, generates the second token.
可选的,NRF从第一NF接收的第一令牌请求中还可以携带一个指示信息,该指示信息用于指示第一NF代理第二NF向第三NF订阅网络功能服务。Optionally, the first token request received by the NRF from the first NF may also carry an indication information, and the indication information is used to instruct the first NF to subscribe for the network function service from the third NF on behalf of the second NF.
可选的,NRF从第二NF接收的第二令牌请求中还可以携带一个指示信息,该指示信息用于指示第一NF代理第二NF向第三NF订阅网络功能服务。Optionally, the second token request received by the NRF from the second NF may also carry an indication information, and the indication information is used to instruct the first NF to subscribe to the third NF for the network function service on behalf of the second NF.
NRF确定当前第一NF请求的是代理订阅场景下的令牌。具体的,NRF可以根据第一令牌请求和/或第二令牌请求的服务调用名称确定,此处的令牌请求的服务调用名称区别于现有技术里的令牌请求的服务调用名称;或者,NRF根据第一令牌请求和/或第二令牌请求中携带的指示信息确定;或者NRF根据其他方式确定当前第一NF请求的是代理订阅场景下的令牌。NRF determines that the current first NF request is the token in the proxy subscription scenario. Specifically, the NRF may be determined according to the service call name of the first token request and/or the second token request, where the service call name of the token request is different from the service call name of the token request in the prior art; Alternatively, the NRF is determined according to the indication information carried in the first token request and/or the second token request; or the NRF determines according to other methods that the current first NF request is a token in the proxy subscription scenario.
具体的,NRF可以根据第一令牌请求中携带第一NF的标识、服务提供者(即第三NF)的标识或类型,和/或第一令牌请求中的其他信息,结合本地配置的策略或者授权信息来判断权限,即判断第一NF是否具有代理第二NF向第三NF订阅网络功能服务的权限。若判断第一NF具有代理第二NF向第三NF订阅网络功能服务的权限,则NRF生成第一令牌。所述第一令牌中包含的信息请参看S304中关于第一令牌包含信息的描述。Specifically, the NRF may carry the identification of the first NF in the first token request, the identification or type of the service provider (that is, the third NF), and/or other information in the first token request in combination with locally configured Policy or authorization information to determine the authority, that is, to determine whether the first NF has the authority to subscribe to the third NF for network function services on behalf of the second NF. If it is determined that the first NF has the authority to subscribe to the network function service from the third NF on behalf of the second NF, the NRF generates the first token. For the information contained in the first token, please refer to the description of the information contained in the first token in S304.
NRF也可以根据第二令牌请求中携带第二NF的标识、服务提供者(即第三NF)的类型等信息,结合本地配置的策略或者授权信息来判断权限,即判断第二NF是否具有接收第三NF提供的网络功能服务的权限。若判断第二NF具有接收第三NF提供的网络功能服务的权限,则NRF生成第二令牌。所述第二令牌中包含的信息请参看S304中关于第二令牌包含信息的描述。The NRF can also determine the authority based on the identity of the second NF carried in the second token request, the type of the service provider (ie the third NF), and the locally configured policy or authorization information, that is, whether the second NF has The authority to receive the network function service provided by the third NF. If it is determined that the second NF has the authority to receive the network function service provided by the third NF, the NRF generates a second token. For the information contained in the second token, please refer to the description of the information contained in the second token in S304.
以上第一令牌和第二令牌中如何携带NF的标识和令牌中的其他信息请参看S202的相关描述。For how to carry the NF identifier and other information in the token in the above first token and second token, please refer to the relevant description of S202.
NRF在生成第一令牌和第二令牌后,执行S606和S607。After the NRF generates the first token and the second token, S606 and S607 are executed.
若判定第二NF不具有接收第三NF提供的网络功能服务的权限,或者判定第一NF不具有代理第二NF向第三NF订阅网络功能服务的权限,或者判定第二NF不具有接收第三NF提供的网络功能服务的权限、且判定第一NF不具有代理第二NF向第三NF订阅网络功能服务的权限时,则NRF结束流程,NRF也可以向第一NF发送消息来指示判定结果。If it is determined that the second NF does not have the authority to receive network function services provided by the third NF, or it is determined that the first NF does not have the authority to subscribe network function services to the third NF on behalf of the second NF, or it is determined that the second NF does not have the authority to receive network function services from the third NF. When the third NF has the authority to provide network function services, and it is determined that the first NF does not have the authority to subscribe to the third NF on behalf of the second NF, the NRF ends the process, and the NRF may also send a message to the first NF to indicate the determination result.
S606、NRF向第一NF发送令牌响应,第一NF从NRF接收该令牌响应。S606. The NRF sends a token response to the first NF, and the first NF receives the token response from the NRF.
为作区分,记为第一令牌响应。To distinguish, record as the first token response.
该第一令牌响应中携带第一令牌和第二令牌。因为NRF已知第一NF代理第二NF向第三NF订阅网络功能服务,因此NRF向第一NF发送令牌响应即可,不用回应第三NF。第一令牌响应中还可携带第一NF的标识和第二NF的标识。The first token response carries the first token and the second token. Because the NRF knows that the first NF acts as a proxy for the second NF to subscribe to the third NF to subscribe to the network function service, the NRF only needs to send a token response to the first NF without responding to the third NF. The first token response may also carry the identification of the first NF and the identification of the second NF.
通过S601~S606,NRF可以判断代理订阅的权限,提高代理订阅的安全性。Through S601-S606, NRF can determine the authority of agent subscription and improve the security of agent subscription.
在S606之后,还可以包括以下步骤。After S606, the following steps may also be included.
具体的SCP保存第一令牌和第二令牌。The specific SCP stores the first token and the second token.
S607、第一NF向SCP发送订阅请求(subscribe request),SCP从第一NF接收订阅请求。S607. The first NF sends a subscription request (subscribe request) to the SCP, and the SCP receives the subscription request from the first NF.
该订阅请求用于第一NF请求代理第二NF向第三NF订阅网络功能服务。该订阅请求中包括上述第一令牌和第二令牌,订阅请求中包含的其他参数请参看S204的相关描述。The subscription request is used by the first NF to request the proxy of the second NF to subscribe to the network function service from the third NF. The subscription request includes the above-mentioned first token and the second token. For other parameters included in the subscription request, please refer to the relevant description of S204.
S608、SCP对订阅请求中包含的令牌进行校验,若校验成功,则执行S610;否则第三NF结束流程,或者向第一NF回复订阅响应,订阅响应中包含订阅失败,或者令牌校验失败信息,或者其他表示流程失败的信息。S608. The SCP verifies the token contained in the subscription request. If the verification is successful, execute S610; otherwise, the third NF ends the process, or sends a subscription response to the first NF, and the subscription response contains subscription failure or token Verification failure information, or other information indicating that the process failed.
若校验第一令牌成功,则确定第一NF具有代理第二NF向第三NF订阅网络功能服务的权限;若校验第二令牌成功,则确定第二NF具有接收第三NF提供的网络功能服务的权限。If the verification of the first token is successful, it is determined that the first NF has the authority to subscribe to the third NF for network function services on behalf of the second NF; The permission of the network function service.
令牌校验内容和方式可以参数图5所示的实施例的描述,在此不再赘述。The content and method of token verification can be a parameter of the description of the embodiment shown in FIG. 5, which will not be repeated here.
类似的,可选的,SCP还可以通过NRF对令牌进行校验。具体的,SCP在收到订阅请求后,向NRF发送校验请求,NRF从SCP接收校验请求,对校验请求中包含的第一令牌和第二令牌进行校验。NRF向SCP回复校验结果。若校验成功,则SCP执行S610,否则第三NF结束流程,或者向第一NF回复订阅响应,订阅响应中包含订阅失败,或者令牌校验失败信息,或者其他表示流程失败的信息。Similarly, optionally, the SCP can also verify the token through NRF. Specifically, after receiving the subscription request, the SCP sends a verification request to the NRF, and the NRF receives the verification request from the SCP, and verifies the first token and the second token included in the verification request. NRF replies the verification result to SCP. If the verification is successful, the SCP executes S610. Otherwise, the third NF ends the process or replies a subscription response to the first NF. The subscription response includes subscription failure or token verification failure information, or other information indicating process failure.
SCP通过NRF对令牌进行校验的过程可以代替S608。The process of SCP verifying the token through NRF can replace S608.
S609~S613与S506~S510相同,在此不再赘述。S609 to S613 are the same as S506 to S510, and will not be repeated here.
通过代理订阅的授权方法之五,实现在SCP的系统架构中,通过NRF判断权限,生成第一令牌和第二令牌,并由SCP进行第一令牌和第二令牌的校验,提高代理订阅的安全性。The fifth method of authorization through proxy subscription is implemented in the SCP system architecture. The authority is judged by NRF, the first token and the second token are generated, and the first token and the second token are verified by the SCP. Improve the security of proxy subscriptions.
代理订阅的授权方法之五还可以适用于漫游场景。在漫游场景下,各NF位于两个不同的PLMN。第一NF发送的令牌请求由第一NF所在PLMN内的NRF转发给第三NF所在PLMN内的NRF。第三NF所在PLMN内的NRF发送的令牌响应由第一NF所在PLMN内的NRF转发给第一NF。令牌的校验由为第三NF服务的SCP完成,在SCP可以通过NRF对令牌进行校验的方式下令牌校验也是由第三NF所在PLMN内的NRF完成。其它处理过程与代理订阅的授权方法之五中描述相同。The fifth authorization method for proxy subscription can also be applied to roaming scenarios. In the roaming scenario, each NF is located in two different PLMNs. The token request sent by the first NF is forwarded by the NRF in the PLMN where the first NF is located to the NRF in the PLMN where the third NF is located. The token response sent by the NRF in the PLMN where the third NF is located is forwarded to the first NF by the NRF in the PLMN where the first NF is located. The verification of the token is completed by the SCP serving the third NF. In the way that the SCP can verify the token through the NRF, the token verification is also completed by the NRF in the PLMN where the third NF is located. The other processing procedures are the same as those described in the fifth authorization method for proxy subscription.
如图7所示,本申请实施例提供的代理订阅的授权方法之六的流程如下所述。本方法的设计思想是,SCP在接收到表征代理订阅的订阅请求时,不立即进行转发,先向NRF咨询是否授权,或者自身来判断是否授权,根据授权结果来决定是否转发该订阅请求。这样有助于提高代理订阅过程的安全性。As shown in FIG. 7, the process of the sixth method for authorization of proxy subscription provided by the embodiment of the present application is as follows. The design idea of this method is that when SCP receives a subscription request that represents agent subscription, it does not immediately forward it, first consults NRF for authorization, or judges whether to authorize itself, and decides whether to forward the subscription request according to the authorization result. This helps to improve the security of the agent subscription process.
S701、第一NF向SCP发送订阅请求,SCP从第一NF接收订阅请求。S701. The first NF sends a subscription request to the SCP, and the SCP receives the subscription request from the first NF.
该订阅请求用于第一NF请求代理第二NF向第三NF订阅网络功能服务。所述订阅请求中包含的参数请参照S204的相关描述。The subscription request is used by the first NF to request the proxy of the second NF to subscribe to the network function service from the third NF. Please refer to the relevant description of S204 for the parameters included in the subscription request.
可选的,在S701之前还包括S700。Optionally, S700 is also included before S701.
S700、第二NF向第一NF发送NF信息,第一NF从第二NF接收NF信息。S700. The second NF sends NF information to the first NF, and the first NF receives the NF information from the second NF.
本步骤同S700,细节描述可参照S200,在此不再赘述。This step is the same as S700. For detailed description, please refer to S200, which will not be repeated here.
S702、SCP向NRF发送授权请求,NRF从SCP接收授权请求。S702. The SCP sends an authorization request to the NRF, and the NRF receives the authorization request from the SCP.
该授权请求用于向NRF咨询第二NF是否具有接收第三NF提供的网络功能服务的权限,以及咨询第一NF是否具有代理第二NF向第三NF订阅网络功能服务的权限。所述 授权请求包含的信息参看S201中令牌请求包含参数的相关描述。The authorization request is used to ask the NRF whether the second NF has the right to receive the network function service provided by the third NF, and whether the first NF has the right to subscribe to the third NF for the network function service on behalf of the second NF. For the information contained in the authorization request, refer to the relevant description of the parameters contained in the token request in S201.
S703、NRF基于接收到的授权请求,执行授权。S703. The NRF performs authorization based on the received authorization request.
在执行授权时,NRF可以判断第一NF是否具有代理第二NF向第三NF订阅网络功能服务的权限,并判断第二NF是否具有接收第三NF提供的网络功能服务的权限。判断权限的方法例如可以是,NRF可以根据授权请求中携带的第一NF的标识、第二NF的标识、服务提供者的标识和/或类型,和/或授权请求中的其他信息,结合本地配置的策略或者授权信息来判断权限。When performing authorization, the NRF can determine whether the first NF has the authority to subscribe to the third NF for network function services on behalf of the second NF, and determine whether the second NF has the authority to receive network function services provided by the third NF. The method for judging the authority may be, for example, the NRF may combine the local identity according to the identity of the first NF, the identity of the second NF, the identity and/or type of the service provider, and/or other information in the authorization request carried in the authorization request. Configure the policy or authorization information to determine the authority.
S704、NRF向SCP发送授权响应,SCP从NRF接收该授权响应。S704. The NRF sends an authorization response to the SCP, and the SCP receives the authorization response from the NRF.
该授权响应用于响应S702的授权请求。该授权响应中携带判断授权的授权结果。例如,授权结果为授权成功,表示第一NF具有代理第二NF向第三NF订阅网络功能服务的权限以及第二NF具有接收第三NF提供的网络功能服务的权限。The authorization response is used to respond to the authorization request of S702. The authorization response carries the authorization result of the authorization judgment. For example, the authorization result is that the authorization is successful, which means that the first NF has the authority to subscribe network function services to the third NF on behalf of the second NF, and the second NF has the authority to receive network function services provided by the third NF.
可选的,只有在判断的授权结果为授权成功时,执行S704。否则NRF流程结束,或者,NRF向SCP返回包含授权失败的响应。Optionally, only when the determined authorization result is that the authorization is successful, S704 is executed. Otherwise, the NRF process ends, or the NRF returns a response containing authorization failure to the SCP.
可选的,S702~S704可以省略,通过SCP来判断授权。即SCP在接收到订阅请求后,基于订阅请求,判断第一NF是否具有代理第二NF向第三NF订阅网络功能服务的权限以及判断第二NF是否具有接收第三NF提供的网络功能服务的权限,获得授权结果。Optionally, S702 to S704 can be omitted, and the authorization is judged through the SCP. That is, after the SCP receives the subscription request, based on the subscription request, it determines whether the first NF has the authority to subscribe network function services to the third NF as an agent for the second NF and whether the second NF has the ability to receive network function services provided by the third NF. Permission to obtain authorization results.
S705、SCP根据授权响应判断是否转发订阅请求,或者发送拒绝订阅消息。S705. The SCP judges whether to forward the subscription request according to the authorization response, or sends a subscription rejection message.
SCP在授权响应中的结果为授权成功的时候,执行S706。SCP在授权响应中的结果为授权不成功的时候,向第一NF发送订阅拒绝消息。该订阅拒绝消息表征拒绝第一NF代理第二NF向第三NF订阅网络功能服务。When the result of the SCP in the authorization response is that the authorization is successful, S706 is executed. When the result in the authorization response is that the authorization is unsuccessful, the SCP sends a subscription rejection message to the first NF. The subscription rejection message indicates that the first NF acts as a proxy for the second NF to subscribe the network function service to the third NF.
S706、SCP向第二NF发送授权通知,第二NF从SCP接收授权通知。S706. The SCP sends an authorization notification to the second NF, and the second NF receives the authorization notification from the SCP.
该授权通知中携带授权结果,该授权结果包括:第二NF具有接收第三NF提供的网络功能服务的权限,还可以包括第一NF具有代理第二NF向第三NF订阅网络功能服务的权限。第二NF可以保存该授权通知中的授权结果。The authorization notification carries the authorization result. The authorization result includes: the second NF has the right to receive network function services provided by the third NF, and may also include that the first NF has the right to subscribe to the third NF for network function services on behalf of the second NF . The second NF can save the authorization result in the authorization notification.
S707、SCP向第三NF发送订阅请求,第三NF从SCP接收该订阅请求。S707. The SCP sends a subscription request to the third NF, and the third NF receives the subscription request from the SCP.
该订阅请求中携带从第一NF接收到的订阅请求中携带的信息,还可以携带授权结果。该授权结果用于指示第二NF是否具有接收第三NF提供的网络功能服务的权限,和/或,第一NF是否具有代理第二NF向第三NF订阅网络功能服务的权限。The subscription request carries the information carried in the subscription request received from the first NF, and may also carry the authorization result. The authorization result is used to indicate whether the second NF has the right to receive the network function service provided by the third NF, and/or whether the first NF has the right to subscribe to the third NF for the network function service on behalf of the second NF.
S706与S707之间没有严格的执行顺序,可以交换顺序。There is no strict execution order between S706 and S707, and the order can be exchanged.
S708、第三NF向SCP返回订阅响应,SCP从第三NF接收订阅响应。S708. The third NF returns a subscription response to the SCP, and the SCP receives the subscription response from the third NF.
S709、SCP向第一NF发送订阅响应,第一NF从SCP接收订阅响应。S709. The SCP sends a subscription response to the first NF, and the first NF receives the subscription response from the SCP.
该订阅响应可以携带授权结果,用于指示第一NF是否具有代理第二NF向第三NF订阅网络功能服务的权限。The subscription response may carry the authorization result, which is used to indicate whether the first NF has the authority to subscribe to the third NF for the network function service by proxying the second NF.
S710、第三NF根据订阅的网络功能服务,向第二NF提供网络功能服务。S710. The third NF provides network function services to the second NF according to the subscribed network function services.
具体的,在满足订阅条件时,第三NF向第二NF发送通知(notify),该通知中包括第三NF提供的网络功能服务。Specifically, when the subscription condition is met, the third NF sends a notification (notify) to the second NF, and the notification includes the network function service provided by the third NF.
可选的,由于第一NF代理第三NF进行服务订阅的,因此第三NF还可以通过SCP向第一NF发送通知,在通知中携带服务的修改或取消订阅等信息。具体的,第三NF向SCP发送通知,SCP向第一NF转发该通知。Optionally, since the first NF performs service subscription on behalf of the third NF, the third NF may also send a notification to the first NF through the SCP, and the notification carries information such as service modification or unsubscription. Specifically, the third NF sends a notification to the SCP, and the SCP forwards the notification to the first NF.
代理订阅的授权方法之六还可以适用于漫游场景。在漫游场景下,各NF位于两个不 同的PLMN。NF之间的交互通过为其服务的SCP转发。第一NF发送的订阅请求由为第一NF服务的SCP转发给为第三NF服务的SCP。第为三NF服务的SCP发送的订阅响应由为第一NF服务的SCP发送给第一NF。授权(即判断权限)由第三NF所在PLMN内的NRF完成。授权的校验(S705)由为第三NF服务的SCP完成,在通过SCP来判断授权方式下,是由第三NF所在PLMN内的SCP完成。其它处理过程与代理订阅的授权方法之六中描述相同。The sixth authorization method for proxy subscription can also be applied to roaming scenarios. In the roaming scenario, each NF is located in two different PLMNs. The interaction between NFs is forwarded through the SCP serving it. The subscription request sent by the first NF is forwarded by the SCP serving the first NF to the SCP serving the third NF. The subscription response sent by the SCP serving the third NF is sent to the first NF by the SCP serving the first NF. The authorization (that is, the judgment of authority) is completed by the NRF in the PLMN where the third NF is located. The authorization verification (S705) is completed by the SCP serving the third NF, and when the authorization mode is determined through the SCP, it is completed by the SCP in the PLMN where the third NF is located. Other processing procedures are the same as those described in the sixth authorization method for proxy subscription.
以下描述的实施例中涉及多个NF之间的交互,多个NF包括第一NF、第三NF和NRF。其中,第一NF对应上述NF_A,第三NF对应上述NF_B。第一NF向第三NF订阅服务,随后第三NF向第一NF发送服务通知。本申请中服务提供者或者服务提供方(service producer)提供的网络功能服务也可以简称为服务。The embodiments described below involve interactions between multiple NFs, and the multiple NFs include a first NF, a third NF, and an NRF. Among them, the first NF corresponds to the aforementioned NF_A, and the third NF corresponds to the aforementioned NF_B. The first NF subscribes to the third NF, and then the third NF sends a service notification to the first NF. The network function service provided by the service provider or service producer in this application may also be referred to as service for short.
下述代理订阅的授权方法之七是基于三个网络功能之间的交互,包括第一NF、NRF和第三NF。The seventh authorization method for proxy subscription below is based on the interaction between three network functions, including the first NF, NRF, and third NF.
如图10所示,本申请实施例提供的代理订阅的授权方法之七的流程如下所述。As shown in FIG. 10, the process of the seventh method for authorization of proxy subscription provided by the embodiment of the present application is as follows.
S1001、第一NF向NRF发送令牌请求,NRF从第一NF接收该令牌请求。S1001. The first NF sends a token request to the NRF, and the NRF receives the token request from the first NF.
该令牌请求(token request)用于请求执行授权。执行授权的过程包括:判断第一NF是否具有向第三NF发送订阅请求的权限。This token request is used to request execution authorization. The process of performing authorization includes: determining whether the first NF has the authority to send a subscription request to the third NF.
该令牌请求中携带服务请求者(service consumerer)的标识,即第一NF的标识。例如携带第一NF的实例标识(instance ID)和/或统一资源标识(URI)。该令牌请求中还可以携带请求订阅的网络功能服务,服务提供者(service producer)的类型和/或服务提供者(service producer)的标识,本实施例中服务提供者为第三NF。例如携带第三NF的实例标识(instance ID)和/或统一资源标识(URI),和/或第三NF的类型(NF type)。该令牌请求中还可以携带事件标识(Event ID(s)),和/或事件列表(Event List),和/或订阅更改通知统一资源标识(Subscription Change Notification Uniform Resource Identifier),和/或订阅更改通知相关统一资源标识(Subscription Change Notification Correlation ID),和/或订阅永久标识(Subscription Permanent Identifier,SUPI),和/或组标识(Group ID),和/或通用公共订阅标识(Generic Public Subscription Identifier,GPSI),和/或永久设备标识(Permanent Equipment Identifier,PEI)。该令牌请求中还可以携带其他授权和令牌生成所需的参数。The token request carries the identifier of the service consumer (service consumer), that is, the identifier of the first NF. For example, the instance ID and/or the uniform resource identifier (URI) of the first NF are carried. The token request may also carry the network function service for which the subscription is requested, the type of service producer and/or the service producer's identifier. In this embodiment, the service provider is the third NF. For example, the instance ID and/or uniform resource identifier (URI) of the third NF are carried, and/or the type of the third NF (NF type). The token request can also carry an event ID (Event ID(s)), and/or an event list (Event List), and/or a subscription change notification uniform resource identifier (Subscription Change Notification Uniform Resource Identifier), and/or subscription Change Notification Correlation ID (Subscription Change Notification Correlation ID), and/or Subscription Permanent Identifier (SUPI), and/or Group ID (Group ID), and/or General Public Subscription Identifier (Generic Public Subscription Identifier) , GPSI), and/or Permanent Equipment Identifier (PEI). The token request may also carry other parameters required for authorization and token generation.
可选的,该令牌请求中还可以携带一个指示信息,该指示信息用于指示第一NF请求的是订阅场景下的令牌,即指示NRF需要判断第一NF是否具有向第三NF发送订阅请求的权限。Optionally, the token request may also carry an indication information, which is used to indicate that the first NF is requesting a token in a subscription scenario, that is, indicating that the NRF needs to determine whether the first NF has the ability to send to the third NF. Permission to subscribe to the request.
S1002、NRF基于接收到的令牌请求,生成令牌。S1002. The NRF generates a token based on the received token request.
NRF首先根据该令牌请求确定第一NF请求的是订阅场景下的令牌。具体的,NRF可以根据令牌请求的服务调用名称来进行确定;或者,NRF根据该令牌请求中携带的指示信息来进行确定;或者,NRF根据令牌请求中携带的参数(例如URI,Event ID(s)等)来进行确定;或者NRF根据其他方式确定当前第一NF请求的是订阅场景下的令牌。The NRF first determines according to the token request that what the first NF requests is the token in the subscription scenario. Specifically, the NRF can be determined according to the service call name of the token request; or, the NRF can be determined according to the indication information carried in the token request; or, the NRF can be determined according to the parameters carried in the token request (such as URI, Event ID(s), etc.); or the NRF determines according to other methods that the current first NF request is the token in the subscription scenario.
在执行授权时,NRF可以根据令牌请求中携带的第一NF的标识、服务提供者(即第三NF)的标识和/或类型,和/或令牌请求中的其他信息,结合本地配置的策略或者授权信息来判断权限。When performing authorization, the NRF can combine the local configuration according to the identification of the first NF carried in the token request, the identification and/or type of the service provider (that is, the third NF), and/or other information in the token request. The policy or authorization information to determine the authority.
NRF若在判定第一NF具向第三NF订阅网络功能服务的权限时,生成令牌(token)。If the NRF determines that the first NF has the right to subscribe to the network function service from the third NF, it generates a token.
生成的令牌中包含第一NF标识,具体的NF标识可以是NF Instance ID,和/或NF的URI,和/或其他形式的能够唯一标识NF的ID或地址信息。所述令牌中还可以包含事件标识(Event ID(s)),和/或事件列表(Event List),和/或订阅更改通知统一资源标识(Subscription Change Notification Uniform Resource Identifier),和/或订阅更改通知相关统一资源标识(Subscription Change Notification Correlation ID),和/或订阅永久标识(Subscription Permanent Identifier,SUPI),和/或组标识(Group ID),和/或通用公共订阅标识(Generic Public Subscription Identifier,GPSI),和/或永久设备标识(Permanent Equipment Identifier,PEI),和/或其他授权和令牌生成所需的参数。The generated token includes the first NF identifier, and the specific NF identifier may be the NF Instance ID, and/or the URI of the NF, and/or other forms of ID or address information that can uniquely identify the NF. The token may also include an event ID (Event ID(s)), and/or an event list (Event List), and/or a subscription change notification uniform resource identifier (Subscription Change Notification Uniform Resource Identifier), and/or subscription Change Notification Correlation ID (Subscription Change Notification Correlation ID), and/or Subscription Permanent Identifier (SUPI), and/or Group ID (Group ID), and/or General Public Subscription Identifier (Generic Public Subscription Identifier) , GPSI), and/or Permanent Equipment Identifier (PEI), and/or other parameters required for authorization and token generation.
本申请对令牌如何携带第一NF的标识和令牌中的其他信息不做限制。This application does not restrict how the token carries the identity of the first NF and other information in the token.
可选的,该令牌中还可以携带一个指示信息,该指示信息用于指示该令牌是订阅场景下的令牌,例如,该指示信息用于指示第一NF向所述第三NF订阅网络功能服务。Optionally, the token may also carry an indication information, the indication information is used to indicate that the token is a token in a subscription scenario, for example, the indication information is used to indicate that the first NF subscribes to the third NF Network function service.
在生成令牌后,执行S1003。After the token is generated, S1003 is executed.
若判定第一NF不具有向第三NF订阅网络功能服务的权限时,则结束流程,也可以向第一NF发送消息来指示判定结果。If it is determined that the first NF does not have the authority to subscribe to the network function service from the third NF, the procedure is ended, and a message may also be sent to the first NF to indicate the determination result.
S1003、NRF向第一NF发送令牌响应,第一NF从NRF接收令牌响应。S1003. The NRF sends a token response to the first NF, and the first NF receives the token response from the NRF.
该令牌响应是用于响应S1001中令牌请求的。该令牌响应中携带NRF生成的令牌。该令牌用于指示第一NF具有向第三NF订阅网络功能服务的权限。The token response is used to respond to the token request in S1001. The token response carries the token generated by NRF. The token is used to indicate that the first NF has the right to subscribe to the network function service from the third NF.
通过S1001~S1003,NRF可以判断订阅的权限,提高订阅的安全性。Through S1001~S1003, NRF can determine the subscription authority and improve the security of subscription.
在S1003之后,还可以包括以下步骤。After S1003, the following steps may also be included.
S1004、第一NF向第三NF发送订阅请求(subscribe request),第三NF从第一NF接收订阅请求。S1004. The first NF sends a subscription request (subscribe request) to the third NF, and the third NF receives the subscription request from the first NF.
该订阅请求用于第一NF请求代理第二NF向第三NF订阅网络功能服务。该订阅请求中包括上述令牌,第一NF的实例标识(instance ID)和/或统一资源标识(URI)。所述订阅请求中还可以携带请求订阅的网络功能服务,服务提供者(service producer)的类型和/或服务提供者(service producer)的标识,本实施例中服务提供者为第三NF。例如携带第三NF的实例标识(instance ID)和/或统一资源标识(URI),和/或第三NF的类型(NF type)。所述订阅请求中还可以携带事件标识(Event ID(s)),和/或事件列表(Event List),和/或订阅更改通知统一资源标识(Subscription Change Notification Uniform Resource Identifier),和/或订阅更改通知相关统一资源标识(Subscription Change Notification Correlation ID),和/或订阅永久标识(Subscription Permanent Identifier,SUPI),和/或组标识(Group ID),和/或通用公共订阅标识(Generic Public Subscription Identifier,GPSI),和/或永久设备标识(Permanent Equipment Identifier,PEI)。The subscription request is used by the first NF to request the proxy of the second NF to subscribe to the network function service from the third NF. The subscription request includes the aforementioned token, the instance ID of the first NF and/or the uniform resource identifier (URI). The subscription request may also carry the network function service for which the subscription is requested, the type of service producer, and/or the identifier of the service producer. In this embodiment, the service provider is the third NF. For example, the instance ID and/or uniform resource identifier (URI) of the third NF are carried, and/or the type of the third NF (NF type). The subscription request may also carry an event ID (Event ID(s)), and/or an event list (Event List), and/or a subscription change notification uniform resource identifier (Subscription Change Notification Uniform Resource Identifier), and/or subscription Change Notification Correlation ID (Subscription Change Notification Correlation ID), and/or Subscription Permanent Identifier (SUPI), and/or Group ID (Group ID), and/or General Public Subscription Identifier (Generic Public Subscription Identifier) , GPSI), and/or Permanent Equipment Identifier (PEI).
具体的,第一NF根据NRF发送的令牌响应确定该第一NF具有向第三NF订阅网络功能服务的权限,则向第三NF发送订阅请求。Specifically, according to the token response sent by the NRF, the first NF determines that the first NF has the right to subscribe to the network function service from the third NF, and then sends a subscription request to the third NF.
S1005、第三NF对订阅请求中包含的令牌进行校验,若校验成功,则执行S1006;否则,若令牌校验失败,则第三NF结束流程,或者向第一NF回复订阅响应,订阅响应中包含订阅失败,或者令牌校验失败信息,或者其他表示流程失败的信息。S1005. The third NF verifies the token included in the subscription request, and if the verification succeeds, then executes S1006; otherwise, if the token verification fails, the third NF ends the process or sends a subscription response to the first NF , The subscription response contains subscription failure, or token verification failure information, or other information indicating that the process failed.
具体地,若令牌校验成功,则第三NF确定第一NF具有向第三NF订阅网络功能服务的权限。Specifically, if the token verification is successful, the third NF determines that the first NF has the right to subscribe to the third NF for network function services.
其中,令牌校验包括以下一项或多项:对令牌进行完整性校验、校验令牌是否用于指 示第一NF具有向第三NF订阅网络功能服务的权限、校验令牌的有效性。当任意一项校验不成功时校验失败,当所有校验成功时校验成功。具体的,需要校验订阅请求中是否包含第三NF的标识。还需要校验令牌中Audience Claim中包含的服务提供者(service producer)的标识和/或类型是否与第三NF的标识和/或类型相同。还可以校验第三NF是否能够提供订阅请求中的网络功能服务。例如,第三NF能够提供的网络功能服务包括服务1、服务2和服务3,但是令牌指示授权的服务为服务4,则校验失败。令牌具有有效期,当令牌在有效期内时,才具有有效性,超过有效期,则令牌失效。只有令牌在有效期内时校验才成功。还可以校验令牌中包含的信息与订阅请求中相应的信息是否一致。Among them, the token verification includes one or more of the following: integrity verification of the token, verification of whether the token is used to indicate that the first NF has the right to subscribe to the network function service of the third NF, and the verification token Effectiveness. The verification fails when any one of the verifications is unsuccessful, and the verification succeeds when all verifications are successful. Specifically, it is necessary to check whether the subscription request contains the identity of the third NF. It is also necessary to verify whether the identifier and/or type of the service producer (service producer) included in the Audience Claim in the token is the same as the identifier and/or type of the third NF. It can also verify whether the third NF can provide the network function service in the subscription request. For example, the network function services that the third NF can provide include service 1, service 2, and service 3. However, if the token indicates that the authorized service is service 4, the verification fails. The token has a validity period. When the token is within the validity period, it is valid. After the validity period, the token becomes invalid. The verification succeeds only when the token is within the validity period. It can also verify whether the information contained in the token is consistent with the corresponding information in the subscription request.
可选的,第三NF可以通过NRF对令牌进行校验。具体的,第三NF在收到订阅请求后,向NRF发送校验请求。NRF从第三NF接收校验请求,对校验请求中包含的令牌进行校验。NRF向第三NF回复校验结果。若校验成功,则第三NF执行S1006。否则第三NF流程结束,或者向第一NF回复订阅响应,订阅响应中包含订阅失败,或者令牌校验失败信息,或者其他表示流程失败的信息。其中,NRF在校验令牌时,除了包括上述令牌校验的事项之外,还可以校验该令牌是否与存储的令牌一致,或者说校验该令牌是否与向第一NF发送的令牌响应中包含的令牌一致。若一致则校验成功,否则校验失败。一致的意思是指令牌指示的信息是相同的。Optionally, the third NF may verify the token through NRF. Specifically, after receiving the subscription request, the third NF sends a verification request to the NRF. The NRF receives the verification request from the third NF, and verifies the token contained in the verification request. The NRF replies the verification result to the third NF. If the verification is successful, the third NF executes S1006. Otherwise, the third NF process ends, or a subscription response is replies to the first NF, and the subscription response includes subscription failure or token verification failure information, or other information indicating that the process fails. Among them, when NRF verifies the token, in addition to the above-mentioned token verification, it can also verify whether the token is consistent with the stored token, or whether the token is consistent with the first NF The token contained in the sent token response is consistent. If they are consistent, the verification is successful, otherwise the verification fails. Consistency means that the information indicated by the instruction board is the same.
通过NRF对令牌进行校的过程可以代替S1005。The process of verifying the token through NRF can replace S1005.
S1006、第三NF向第一NF发送订阅响应(subscribe response),第一NF从第三NF接收该订阅响应。S1006. The third NF sends a subscription response (subscribe response) to the first NF, and the first NF receives the subscription response from the third NF.
该订阅响应可以携带授权结果,用于指示第一NF具有代理第二NF向第三NF订阅网络功能服务的权限;或者,第三NF在该订阅响应中携带校验成功的令牌。第一NF根据订阅响应中携带的令牌或者授权结果,确定授权成功。The subscription response may carry the authorization result, which is used to indicate that the first NF has the authority to subscribe to the network function service from the third NF on behalf of the second NF; or, the third NF carries a token of successful verification in the subscription response. The first NF determines that the authorization is successful according to the token carried in the subscription response or the authorization result.
S1007、第三NF根据订阅的网络功能服务,向第一NF提供网络功能服务。S1007. The third NF provides network function services to the first NF according to the subscribed network function services.
具体的,在满足订阅条件时,第三NF向第一NF发送通知(notify),该通知中包括第三NF提供的网络功能服务。Specifically, when the subscription condition is met, the third NF sends a notification (notify) to the first NF, and the notification includes the network function service provided by the third NF.
可选的,第三NF还可以向第一NF发送通知,在通知中携带服务的修改或取消订阅等信息。Optionally, the third NF may also send a notification to the first NF, and the notification carries information such as service modification or unsubscription.
订阅的授权方法之七还可以适用于漫游场景。在漫游场景下,各NF位于两个不同的公共陆地移动网(public land mobile network,PLMN)。NF之间的交互通过为其服务的SCP转发。第一NF发送的令牌请求由第一NF所在PLMN内的NRF转发给第三NF所在PLMN内的NRF。第三NF所在PLMN内的NRF发送的令牌响应由第一NF所在PLMN内的NRF转发给第一NF。令牌的产生和授权由第三NF所在PLMN内的NRF完成。在第三NF可以通过NRF对令牌进行校验的方式下,令牌校验也是由第三NF所在PLMN内的NRF完成。其它处理过程与代理订阅的授权方法之一中描述相同。The seventh subscription authorization method can also be applied to roaming scenarios. In the roaming scenario, each NF is located in two different public land mobile networks (PLMN). The interaction between NFs is forwarded through the SCP serving it. The token request sent by the first NF is forwarded by the NRF in the PLMN where the first NF is located to the NRF in the PLMN where the third NF is located. The token response sent by the NRF in the PLMN where the third NF is located is forwarded to the first NF by the NRF in the PLMN where the first NF is located. The generation and authorization of the token is completed by the NRF in the PLMN where the third NF is located. In the manner in which the third NF can verify the token through the NRF, the token verification is also completed by the NRF in the PLMN where the third NF is located. Other processing procedures are the same as those described in one of the authorization methods for proxy subscription.
基于同一发明构思,本申请实施例提供了订阅的授权方法之八。以下描述的订阅的授权方法之八基于四个网络功能之间的交互。四个网络功能包括第一NF、第三NF、NRF和SCP。本申请中服务提供者或者服务提供方(service producer)提供的网络功能服务也可以简称为服务。Based on the same inventive concept, the embodiment of this application provides the eighth subscription authorization method. The eighth method of subscription authorization described below is based on the interaction between four network functions. The four network functions include the first NF, the third NF, NRF and SCP. The network function service provided by the service provider or service producer in this application may also be referred to as service for short.
其中,SCP用于在NF之间起到服务调用转发的作用,或者SCP可以单独完成请求服务的授权,或者SCP可以与NRF共同合作完成请求服务的授权。Among them, SCP is used to play the role of service call forwarding between NFs, or SCP can independently complete the authorization of requesting services, or SCP can cooperate with NRF to complete the authorization of requesting services.
如图11所示,本申请实施例提供的订阅的授权方法之八的流程如下所述。本方法通过令牌来保证订阅的安全性。As shown in FIG. 11, the process of the eighth method for authorization of subscription provided in the embodiment of the present application is as follows. This method uses tokens to ensure the security of the subscription.
S1101、第一NF向NRF发送令牌请求,NRF从第一NF接收该令牌请求。S1101. The first NF sends a token request to the NRF, and the NRF receives the token request from the first NF.
本步骤同S1001,细节描述可参照S1001,在此不再赘述。This step is the same as S1001, and the detailed description can refer to S1001, which will not be repeated here.
S1102、NRF基于接收到的令牌请求,生成令牌。S1102. The NRF generates a token based on the received token request.
本步骤同S1002,细节描述可参照S1002,在此不再赘述。This step is the same as S1002. For detailed description, please refer to S1002, which will not be repeated here.
S1103、NRF向第一NF发送令牌响应,第一NF从NRF接收令牌响应。S1103. The NRF sends a token response to the first NF, and the first NF receives the token response from the NRF.
本步骤同S1003,细节描述可参照S1003,在此不再赘述。This step is the same as S1003. For details, please refer to S1003, which will not be repeated here.
S1101~S1103的描述与S1001~S1003的描述相同,可以参考代理订阅的授权方法之七的相关描述。The description of S1101 to S1103 is the same as the description of S1001 to S1003. You can refer to the related description of the seventh authorization method for proxy subscription.
在S1103之后,还可以包括以下步骤。After S1103, the following steps may also be included.
S1104、第一NF向SCP发送订阅请求(subscribe request),SCP从第一NF接收订阅请求。S1104. The first NF sends a subscription request (subscribe request) to the SCP, and the SCP receives the subscription request from the first NF.
该订阅请求用于第一NF请求代理第二NF向第三NF订阅网络功能服务。该订阅请求中包括上述令牌,所属订阅请求中包含的其他信息参看S1004中的相关描述。The subscription request is used by the first NF to request the proxy of the second NF to subscribe to the network function service from the third NF. The subscription request includes the above token. For other information included in the subscription request, refer to the related description in S1004.
S1105、SCP对订阅请求中包含的令牌进行校验,若校验成功,则执行S1106;否则若校验失败,SCP结束流程,或者向第一NF回复订阅响应,订阅响应中包含订阅失败,或者令牌校验失败信息,或者其他表示流程失败的信息。S1105. The SCP verifies the token contained in the subscription request. If the verification succeeds, then executes S1106; otherwise, if the verification fails, the SCP ends the process or replies to the first NF with a subscription response, and the subscription response contains subscription failure. Or token verification failure information, or other information indicating process failure.
若校验成功,则SCP确定第一NF具有向第三NF订阅网络功能服务的权限。If the verification is successful, the SCP determines that the first NF has the right to subscribe to the network function service from the third NF.
其中,校验包括以下一项或多项:对令牌进行完整性校验、校验令牌是否用于指示第一NF具有向第三NF订阅网络功能服务的权限、校验令牌的有效性。当任意一项校验不成功时校验失败,当所有校验成功时校验成功。具体的,需要校验订阅请求中是否包含第三NF的标识。还需要校验令牌中audience claim中包含的服务提供者(service producer)的标识和/或类型是否与SCP查询到的第三NF的标识和/或类型相同,具体的,SCP可以根据本地配置的信息查询得到第三NF的标识,也可以根据从NRF获取的信息查询得到第三NF的标识。还可以校验第三NF是否能够提供订阅的网络功能服务。例如,第三NF能够提供的网络功能服务包括服务1、服务2和服务3,但是令牌指示授权的服务为服务4,则校验失败。令牌具有有效期,当令牌在有效期内时,才具有有效性,超过有效期,则令牌失效。只有令牌在有效期内时校验才成功。还可以校验令牌中包含的信息与订阅请求中相应的信息是否一致。Among them, the verification includes one or more of the following: integrity verification of the token, verification of whether the token is used to indicate that the first NF has the right to subscribe to the network function service from the third NF, and the validity of the verification token Sex. The verification fails when any one of the verifications is unsuccessful, and the verification succeeds when all verifications are successful. Specifically, it is necessary to check whether the subscription request contains the identity of the third NF. It is also necessary to verify whether the identity and/or type of the service producer (service producer) contained in the audience claim in the token is the same as the identity and/or type of the third NF queried by the SCP. Specifically, the SCP can be configured according to the local configuration. The identity of the third NF can be obtained by querying the information of the third NF, and the identity of the third NF can also be obtained by querying the information obtained from the NRF. It can also verify whether the third NF can provide the subscribed network function service. For example, the network function services that the third NF can provide include service 1, service 2, and service 3. However, if the token indicates that the authorized service is service 4, the verification fails. The token has a validity period. When the token is within the validity period, it is valid. After the validity period, the token becomes invalid. The verification succeeds only when the token is within the validity period. It can also verify whether the information contained in the token is consistent with the corresponding information in the subscription request.
类似订阅的授权方法之七,可选的,SCP还可以通过NRF对令牌进行校验。具体的,SCP在收到订阅请求后,向NRF发送校验请求,NRF从SCP接收校验请求,对校验请求中包含的令牌进行校验。NRF向SCP返回校验结果。若校验成功,则SCP执行S1106;否则SCP结束流程,或者向第一NF回复订阅响应,订阅响应中包含订阅失败,或者令牌校验失败信息,或者其他表示流程失败的信息。The seventh authorization method similar to subscription, optionally, SCP can also verify the token through NRF. Specifically, after receiving the subscription request, the SCP sends a verification request to the NRF, and the NRF receives the verification request from the SCP, and verifies the token included in the verification request. NRF returns the verification result to SCP. If the verification is successful, the SCP executes S1106; otherwise, the SCP ends the process, or replies a subscription response to the first NF. The subscription response includes subscription failure, token verification failure information, or other information indicating process failure.
通过NRF对令牌进行校的过程可以代替S1105。The process of calibrating the token through NRF can replace S1105.
S1106、SCP向第三NF发送订阅请求,第三NF从SCP接收该订阅请求。S1106. The SCP sends a subscription request to the third NF, and the third NF receives the subscription request from the SCP.
该订阅请求中携带从第一NF接收到的订阅请求中携带的信息,还可以携带校验结果。该校验结果用于指示令牌校验是否成功。或者用于指示授权结果,即指示第一NF是否具有向第三NF订阅网络功能服务的权限。The subscription request carries the information carried in the subscription request received from the first NF, and may also carry the verification result. The verification result is used to indicate whether the token verification is successful. Or it is used to indicate the authorization result, that is, whether the first NF has the right to subscribe to the network function service from the third NF.
S1107、第三NF向SCP返回订阅响应,SCP从第三NF接收订阅响应。S1107. The third NF returns a subscription response to the SCP, and the SCP receives the subscription response from the third NF.
S1108、SCP向第一NF发送订阅响应,第一NF从SCP接收订阅响应。S1108. The SCP sends a subscription response to the first NF, and the first NF receives the subscription response from the SCP.
该订阅响应可以携带授权结果,用于指示第一NF是否具有向第三NF订阅网络功能服务的权限。在SCP校验令牌成功时,授权结果为是;在SCP校验令牌不成功时,授权结果为否。其中,授权结果为是,包括第一NF具有向第三NF订阅网络功能服务的权限。授权结果为否,包括第一NF不具有向第三NF订阅网络功能服务的权限。The subscription response may carry the authorization result, which is used to indicate whether the first NF has the right to subscribe to the network function service from the third NF. When the SCP verification token is successful, the authorization result is yes; when the SCP verification token is unsuccessful, the authorization result is no. The authorization result is yes, including that the first NF has the right to subscribe to the network function service from the third NF. The authorization result is no, including that the first NF does not have the right to subscribe to the network function service from the third NF.
或者,该订阅响应中可以携带令牌。Alternatively, the subscription response may carry the token.
S1109-S1110、第三NF根据订阅的网络功能服务,向第一NF提供网络功能服务。S1109-S1110, the third NF provides network function services to the first NF according to the subscribed network function services.
具体的,在满足订阅条件时,第三NF通过SCP向第一NF发送通知(notify),该通知中包括第三NF提供的网络功能服务。Specifically, when the subscription condition is met, the third NF sends a notification (notify) to the first NF through the SCP, and the notification includes the network function service provided by the third NF.
可选的,由于第一NF向第三NF订阅服务,因此第三NF还可以通过SCP向第一NF发送通知,在通知中携带服务的修改或取消订阅等信息。具体的,第三NF向SCP发送通知,SCP向第一NF转发该通知。Optionally, since the first NF subscribes to the third NF, the third NF may also send a notification to the first NF through the SCP, and the notification carries information such as service modification or unsubscription. Specifically, the third NF sends a notification to the SCP, and the SCP forwards the notification to the first NF.
订阅的授权方法之八还可以适用于漫游场景。在漫游场景下,各NF位于两个不同的PLMN。NF之间的交互通过为其服务的SCP转发。第一NF发送的令牌请求由第一NF所在PLMN内的NRF转发给第三NF所在PLMN内的NRF。第三NF所在PLMN内的NRF发送的令牌响应由第一NF所在PLMN内的NRF转发给第一NF。令牌的产生和授权由第三NF所在PLMN内的NRF完成。在第三NF可以通过NRF对令牌进行校验的方式下令牌校验也是由NF_B所在PLMN内的NRF完成。令牌的校验由为第三NF服务的SCP完成。其它处理过程与订阅的授权方法之八中描述相同。The eighth subscription authorization method can also be applied to roaming scenarios. In the roaming scenario, each NF is located in two different PLMNs. The interaction between NFs is forwarded through the SCP serving it. The token request sent by the first NF is forwarded by the NRF in the PLMN where the first NF is located to the NRF in the PLMN where the third NF is located. The token response sent by the NRF in the PLMN where the third NF is located is forwarded to the first NF by the NRF in the PLMN where the first NF is located. The generation and authorization of the token is completed by the NRF in the PLMN where the third NF is located. In the way that the third NF can verify the token through the NRF, the token verification is also completed by the NRF in the PLMN where the NF_B is located. The verification of the token is completed by the SCP serving the third NF. The other processing procedures are the same as those described in the eighth subscribing authorization method.
通过订阅的授权方法之八,实现在SCP的系统架构中,通过NRF判断权限,并由SCP进行令牌的校验,提高代理订阅的安全性。Through the eighth subscription authorization method, in the SCP system architecture, the authority is judged through NRF, and the SCP performs token verification, which improves the security of agent subscription.
基于上述方法实施例的同一发明构思,如图8所示,本申请实施例还提供了一种代理订阅的授权装置800。该装置800包括接收单元801和处理单元802,还包括发送单元803。Based on the same inventive concept of the foregoing method embodiment, as shown in FIG. 8, an embodiment of the present application also provides an authorization device 800 for proxy subscription. The device 800 includes a receiving unit 801 and a processing unit 802, and also includes a sending unit 803.
该装置800可以应用于NRF,也可以是NRF,该装置800可以执行上述各个代理订阅的授权方法中NRF所执行的操作。以执行代理订阅的授权方法之一为例,接收单元801用于从第一网络功能NF接收令牌请求,处理单元802用于基于所述令牌请求生成令牌。可选的,接收单元801还用于从第三NF接收校验请求。处理单元802还用于对第二令牌进行校验。发送单元803用于该NRF向其他功能发送消息。The device 800 can be applied to NRF or NRF, and the device 800 can perform the operations performed by the NRF in the authorization method of each proxy subscription. Taking one of the authorization methods for performing proxy subscription as an example, the receiving unit 801 is configured to receive a token request from the first network function NF, and the processing unit 802 is configured to generate a token based on the token request. Optionally, the receiving unit 801 is further configured to receive a verification request from the third NF. The processing unit 802 is also used to verify the second token. The sending unit 803 is used for the NRF to send messages to other functions.
该装置800还可以应用于第一NF,也可以是第一NF,该装置800可以执行上述各个代理订阅的授权方法中第一NF所执行的操作。以执行代理订阅的授权方法之一为例,发送单元803用于向网络功能存储功能NRF发送令牌请求,令牌请求用于请求所述NRF生成令牌。接收单元801,用于从所述NRF接收令牌。The device 800 may also be applied to the first NF, and may also be the first NF, and the device 800 may perform the operations performed by the first NF in the authorization method for each proxy subscription. Taking one of the authorization methods for performing proxy subscription as an example, the sending unit 803 is configured to send a token request to the network function storage function NRF, and the token request is used to request the NRF to generate a token. The receiving unit 801 is configured to receive a token from the NRF.
该装置800还可以应用于第三NF,也可以是第三NF,该装置800可以执行上述各个代理订阅的授权方法中第三NF所执行的操作。以执行代理订阅的授权方法之一为例,接收单元801,用于从第一NF接收订阅请求,所述订阅请求中携带令牌。处理单元802用于对所述订阅请求中包含的令牌进行校验,获得校验结果。其中,若校验通过,则所述第一NF具有代理所述第二NF向所述第三NF订阅网络功能服务的权限,以及所述第二NF具有接收所述第三NF提供的网络功能服务的权限;若校验不通过,则所述第一NF不具 有代理所述第二NF向所述第三NF订阅网络功能服务的权限,以及所述第二NF不具有接收所述第三NF提供的网络功能服务的权限。发送单元803用于向所述第一NF发送订阅响应,所述订阅响应中携带所述校验结果。The device 800 may also be applied to a third NF, or may be a third NF, and the device 800 may perform operations performed by the third NF in the authorization method of each proxy subscription. Taking one of the authorization methods for performing proxy subscription as an example, the receiving unit 801 is configured to receive a subscription request from the first NF, and the subscription request carries a token. The processing unit 802 is configured to verify the token included in the subscription request to obtain a verification result. Wherein, if the verification is passed, the first NF has the authority to subscribe network function services from the third NF on behalf of the second NF, and the second NF has the network function to receive the network function provided by the third NF Service authority; if the verification fails, the first NF does not have the authority to subscribe network function services to the third NF on behalf of the second NF, and the second NF does not have the authority to receive the third The authority of network function services provided by NF. The sending unit 803 is configured to send a subscription response to the first NF, where the subscription response carries the verification result.
基于与上述方法实施例的同一发明构思,如图9所示,本申请实施例还提供了一种代理订阅的授权装置900,该代理订阅的授权装置900用于实现上述实施例提供的各个代理订阅的授权方法中NRF、第一NF、第二NF、第三NF或SCP执行的操作,为简述示意,上述各个功能可能的实体装置的示意图通过引用图9来示意,可以理解的是,图9仅为示意图,其可以应用于上述各种不同的功能中。该代理订阅的授权装置900包括:收发器901、处理器902,还可以包括存储器903。处理器902用于调用一组程序,当程序被执行时,使得处理器902执行上述实施例提供的各个代理订阅的授权方法中NRF、第一NF、第二NF、第三NF或SCP执行的操作。存储器903用于存储处理器902执行的程序。上述图8中的功能模块发送单元和接收单元可以通过收发器901来实现、处理单元可以通过处理器902来实现。Based on the same inventive concept as the foregoing method embodiment, as shown in FIG. 9, an embodiment of the present application also provides an authorization device 900 for proxy subscription. The proxy subscription authorization device 900 is used to implement each proxy provided in the foregoing embodiment. The operations performed by the NRF, the first NF, the second NF, the third NF, or the SCP in the subscription authorization method are for brief description. The schematic diagrams of the above-mentioned possible physical devices for each function are illustrated by referring to FIG. 9. It can be understood that Fig. 9 is only a schematic diagram, which can be applied to the various functions described above. The authorization device 900 for proxy subscription includes a transceiver 901, a processor 902, and may also include a memory 903. The processor 902 is used to call a set of programs. When the programs are executed, the processor 902 executes the NRF, the first NF, the second NF, the third NF, or the SCP in the authorization method for each proxy subscription provided in the above embodiment. operating. The memory 903 is used to store programs executed by the processor 902. The sending unit and the receiving unit of the functional module in FIG. 8 may be implemented by the transceiver 901, and the processing unit may be implemented by the processor 902.
处理器902可以是中央处理器(central processing unit,CPU),网络处理器(network processor,NP)或者CPU和NP的组合。The processor 902 may be a central processing unit (CPU), a network processor (NP), or a combination of a CPU and an NP.
处理器902还可以进一步包括硬件芯片。上述硬件芯片可以是专用集成电路(application-specific integrated circuit,ASIC),可编程逻辑器件(programmable logic device,PLD)或其组合。上述PLD可以是复杂可编程逻辑器件(complex programmable logic device,CPLD),现场可编程逻辑门阵列(field-programmable gate array,FPGA),通用阵列逻辑(generic array logic,GAL)或其任意组合。The processor 902 may further include a hardware chip. The aforementioned hardware chip may be an application-specific integrated circuit (ASIC), a programmable logic device (PLD) or a combination thereof. The above-mentioned PLD may be a complex programmable logic device (CPLD), a field-programmable gate array (FPGA), a generic array logic (GAL) or any combination thereof.
存储器903可以包括易失性存储器(volatile memory),例如随机存取存储器(random-access memory,RAM);存储器903也可以包括非易失性存储器(non-volatile memory),例如快闪存储器(flash memory),硬盘(hard disk drive,HDD)或固态硬盘(solid-state drive,SSD);存储器903还可以包括上述种类的存储器的组合。The memory 903 may include a volatile memory (volatile memory), such as a random-access memory (random-access memory, RAM); the memory 903 may also include a non-volatile memory (non-volatile memory), such as a flash memory (flash memory). memory), a hard disk drive (HDD) or a solid-state drive (SSD); the memory 903 may also include a combination of the foregoing types of memories.
在本申请上述实施例提供的方法中,所描述的功能实体(或功能)所执行的操作和功能中的部分或全部,可以用芯片或集成电路来完成。In the methods provided in the foregoing embodiments of the present application, part or all of the operations and functions performed by the described functional entities (or functions) may be completed by chips or integrated circuits.
为了实现上述图8或图9所述的装置的功能,本申请实施例还提供一种芯片,包括处理器,用于支持该装置实现上述实施例提供的方法所涉及的功能。在一种可能的设计中,该芯片与存储器连接或者该芯片包括存储器,该存储器用于保存该装置必要的程序指令和数据。In order to realize the functions of the device described in FIG. 8 or FIG. 9, an embodiment of the present application further provides a chip, including a processor, for supporting the device to implement the functions involved in the method provided in the foregoing embodiment. In a possible design, the chip is connected to a memory or the chip includes a memory, and the memory is used to store the necessary program instructions and data of the device.
本申请实施例提供了一种计算机存储介质,存储有计算机程序,该计算机程序包括用于执行上述实施例提供的方法的指令。The embodiment of the present application provides a computer storage medium storing a computer program, and the computer program includes instructions for executing the method provided in the foregoing embodiment.
本申请实施例提供了一种包含指令的计算机程序产品,当其在计算机上运行时,使得计算机执行上述实施例提供的方法。The embodiments of the present application provide a computer program product containing instructions, which when run on a computer, cause the computer to execute the method provided in the foregoing embodiments.
本领域内的技术人员应明白,本申请的实施例可提供为方法、系统、或计算机程序产品。因此,本申请可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本申请可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。Those skilled in the art should understand that the embodiments of the present application can be provided as methods, systems, or computer program products. Therefore, the present application may adopt the form of a complete hardware embodiment, a complete software embodiment, or an embodiment combining software and hardware. Moreover, this application may adopt the form of a computer program product implemented on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program codes.
本申请是参照根据本申请实施例的方法、设备(系统)、和计算机程序产品的流程图 和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。This application is described with reference to flowcharts and/or block diagrams of methods, devices (systems), and computer program products according to embodiments of this application. It should be understood that each process and/or block in the flowchart and/or block diagram, and the combination of processes and/or blocks in the flowchart and/or block diagram can be implemented by computer program instructions. These computer program instructions can be provided to the processor of a general-purpose computer, a special-purpose computer, an embedded processor, or other programmable data processing equipment to generate a machine, so that the instructions executed by the processor of the computer or other programmable data processing equipment are generated It is a device that realizes the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions can also be stored in a computer-readable memory that can guide a computer or other programmable data processing equipment to work in a specific manner, so that the instructions stored in the computer-readable memory produce an article of manufacture including the instruction device. The device implements the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded on a computer or other programmable data processing equipment, so that a series of operation steps are executed on the computer or other programmable equipment to produce computer-implemented processing, so as to execute on the computer or other programmable equipment. The instructions provide steps for implementing functions specified in a flow or multiple flows in the flowchart and/or a block or multiple blocks in the block diagram.
尽管已描述了本申请的优选实施例,但本领域内的技术人员一旦得知了基本创造性概念,则可对这些实施例作出另外的变更和修改。所以,所附权利要求意欲解释为包括优选实施例以及落入本申请范围的所有变更和修改。Although the preferred embodiments of the present application have been described, those skilled in the art can make additional changes and modifications to these embodiments once they learn the basic creative concept. Therefore, the appended claims are intended to be interpreted as including the preferred embodiments and all changes and modifications falling within the scope of the present application.
显然,本领域的技术人员可以对本申请实施例进行各种改动和变型而不脱离本申请实施例的精神和范围。这样,倘若本申请实施例的这些修改和变型属于本申请权利要求及其等同技术的范围之内,则本申请也意图包含这些改动和变型在内。Obviously, those skilled in the art can make various changes and modifications to the embodiments of the present application without departing from the spirit and scope of the embodiments of the present application. In this way, if these modifications and variations of the embodiments of this application fall within the scope of the claims of this application and their equivalent technologies, this application is also intended to include these modifications and variations.

Claims (30)

  1. 一种代理订阅的授权方法,其特征在于,包括:An authorization method for proxy subscription, which is characterized in that it includes:
    网络功能存储功能NRF从第一网络功能NF接收令牌请求,所述令牌请求包括所述第一NF的标识和所述第二NF的标识;The network function storage function NRF receives a token request from the first network function NF, where the token request includes the identity of the first NF and the identity of the second NF;
    所述NRF基于所述令牌请求生成第一令牌,所述第一令牌用于指示所述第一NF具有代理所述第二NF向所述第三NF订阅网络功能服务的权限,以及用于指示第二NF具有接收第三NF提供的网络功能服务的权限;The NRF generates a first token based on the token request, where the first token is used to indicate that the first NF has the authority to subscribe network function services from the third NF on behalf of the second NF, and Used to indicate that the second NF has the authority to receive network function services provided by the third NF;
    所述NRF向所述第一NF发送所述第一令牌。The NRF sends the first token to the first NF.
  2. 如权利要求1所述的方法,其特征在于,所述令牌请求包括第一指示信息,所述指示信息用于指示所述第一NF代理所述第二NF向所述第三NF订阅网络功能服务。The method according to claim 1, wherein the token request includes first indication information, and the indication information is used to instruct the first NF to proxy the second NF to subscribe to the network from the third NF. Functional service.
  3. 如权利要求1任一项所述的方法,其特征在于,所述第一令牌包括所述第二NF的标识。The method according to any one of claims 1, wherein the first token includes an identification of the second NF.
  4. 如权利要求1或2任一项所述的方法,其特征在于,所述第一令牌包括所述第二指示信息,用于指示所述第一NF代理所述第二NF向所述第三NF订阅网络功能服务。The method according to any one of claims 1 or 2, wherein the first token includes the second indication information for instructing the first NF to proxy the second NF to the first NF Three NFs subscribe to network function services.
  5. 一种代理订阅的授权方法,其特征在于,包括:An authorization method for proxy subscription, which is characterized in that it includes:
    第一网络功能NF向网络功能存储功能NRF发送令牌请求,所述令牌请求包括所述第一NF的标识和所述第二NF的标识;The first network function NF sends a token request to the network function storage function NRF, where the token request includes the identity of the first NF and the identity of the second NF;
    所述第一NF从所述NRF接收令牌,所述令牌用于指示所述第一NF具有代理所述第二NF向所述第三NF订阅网络功能服务的权限,以及用于指示第二NF具有接收第三NF提供的网络功能服务的权限。The first NF receives a token from the NRF, where the token is used to indicate that the first NF has the authority to subscribe network function services to the third NF on behalf of the second NF, and is used to indicate The second NF has the right to receive the network function service provided by the third NF.
  6. 如权利要求5所述的方法,其特征在于,所述令牌请求包括第一指示信息,所述第一指示信息用于指示所述第一NF代理所述第二NF向所述第三NF订阅网络功能服务。The method according to claim 5, wherein the token request includes first indication information, and the first indication information is used to instruct the first NF to proxy the second NF to the third NF Subscribe to the network function service.
  7. 如权利要求5或6所述的方法,其特征在于,所述令牌包括所述第二NF的标识。The method according to claim 5 or 6, wherein the token includes an identification of the second NF.
  8. 如权利要求5~7任一项所述的方法,其特征在于,所述令牌包括第二指示信息,所述第二指示信息用于指示所述第一NF代理所述第二NF向所述第三NF订阅网络功能服务。The method according to any one of claims 5 to 7, wherein the token includes second indication information, and the second indication information is used to instruct the first NF to proxy the second NF to the The third NF subscribes to the network function service.
  9. 如权利要求5~8任一项所述的方法,其特征在于,所述方法还包括:The method according to any one of claims 5 to 8, characterized in that the method further comprises:
    所述第一NF向所述第三NF发送订阅请求,所述订阅请求中携带所述令牌。The first NF sends a subscription request to the third NF, and the subscription request carries the token.
  10. 如权利要求9所述的方法,其特征在于,所述方法还包括:The method of claim 9, wherein the method further comprises:
    所述第一NF从所述第三NF接收订阅响应,所述订阅响应中携带所述令牌或授权结果,所述授权结果包括:所述第二NF具有接收所述第三NF提供的网络功能服务的权限,以及所述第一NF具有代理所述第二NF向所述第三NF订阅网络功能服务的权限。The first NF receives a subscription response from the third NF, the subscription response carries the token or authorization result, and the authorization result includes: the second NF has a network provided by the third NF Function service authority, and the first NF has the authority to subscribe network function services from the third NF on behalf of the second NF.
  11. 如权利要求5~10任一项所述的方法,其特征在于,所述方法还包括:The method according to any one of claims 5 to 10, wherein the method further comprises:
    所述第一NF从所述第三NF接收通知,所述通知中携带所述令牌或授权结果,所述授权结果包括所述第一NF具有代理所述第二NF向所述第三NF订阅网络功能服务的权限,以及所述第二NF具有接收所述第三NF提供的网络功能服务的权限。The first NF receives a notification from the third NF, and the notification carries the token or authorization result, and the authorization result includes that the first NF has the agent of the second NF to send the third NF to the third NF. The right to subscribe to the network function service, and the second NF has the right to receive the network function service provided by the third NF.
  12. 一种代理订阅的授权方法,其特征在于,包括:An authorization method for proxy subscription, which is characterized in that it includes:
    第三网络功能NF从第一NF接收订阅请求,所述订阅请求中携带令牌;The third network function NF receives a subscription request from the first NF, and the subscription request carries a token;
    所述第三NF对所述订阅请求中包含的令牌进行校验,获得校验结果,其中,若校验成功,则所述第一NF具有代理所述第二NF向所述第三NF订阅网络功能服务的权限,以及所述第二NF具有接收所述第三NF提供的网络功能服务的权限;若校验不成功,则所述第一NF不具有代理所述第二NF向所述第三NF订阅网络功能服务的权限,以及所述第二NF不具有接收所述第三NF提供的网络功能服务的权限;The third NF verifies the token included in the subscription request to obtain a verification result, wherein, if the verification is successful, the first NF has a proxy for the second NF to send to the third NF The right to subscribe to the network function service, and the second NF has the right to receive the network function service provided by the third NF; if the verification is unsuccessful, the first NF does not have the authority to proxy the second NF to the The third NF has the right to subscribe to the network function service, and the second NF does not have the right to receive the network function service provided by the third NF;
    所述第三NF向所述第一NF发送订阅响应,所述订阅响应中携带所述校验结果。The third NF sends a subscription response to the first NF, and the subscription response carries the verification result.
  13. 如权利要求12所述的方法,其特征在于,所述令牌中携带所述第二NF的标识。The method of claim 12, wherein the token carries the identity of the second NF.
  14. 如权利要求13所述的方法,其特征在于,所述方法还包括:The method according to claim 13, wherein the method further comprises:
    所述第三NF在校验成功时,从所述令牌中获取所述第二NF的标识。When the verification succeeds, the third NF obtains the identifier of the second NF from the token.
  15. 如权利要求12~14任一项所述的方法,其特征在于,所述令牌携带指示信息,所述指示信息用于指示所述第一NF代理所述第二NF向所述第三NF订阅网络功能服务。The method according to any one of claims 12 to 14, wherein the token carries indication information, and the indication information is used to instruct the first NF to proxy the second NF to the third NF Subscribe to the network function service.
  16. 如权利要求12~15任一项所述的方法,其特征在于,所述方法还包括:The method according to any one of claims 12 to 15, wherein the method further comprises:
    所述第三NF在校验成功时向所述第二NF发送授权通知,所述授权通知包含授权结果,所述授权结果包括所述第二NF具有接收所述第三NF提供的网络功能服务的权限。The third NF sends an authorization notification to the second NF when the verification succeeds, the authorization notification includes an authorization result, and the authorization result includes that the second NF has the ability to receive the network function service provided by the third NF permission.
  17. 如权利要求12~16任一项所述的方法,其特征在于,所述校验包括以下一项或多项:对所述令牌进行完整性校验、校验所述令牌是否用于指示第二NF具有接收第三NF提供的网络功能服务的权限、校验所述令牌的有效性、校验令牌中包含的服务提供者的标识是否与所述第三NF的标识相同、以及校验所述令牌与所述第三NF存储的令牌是否一致。The method according to any one of claims 12 to 16, wherein the verification comprises one or more of the following: performing integrity verification on the token, and verifying whether the token is used Indicate that the second NF has the authority to receive the network function service provided by the third NF, verify the validity of the token, verify whether the identity of the service provider contained in the token is the same as the identity of the third NF, And verify whether the token is consistent with the token stored in the third NF.
  18. 如权利要求12~17任一项所述的方法,其特征在于,所述订阅响应中还携带所述令牌或授权结果,所述授权结果包括第一NF具有代理所述第二NF向所述第三NF订阅网络功能服务的权限以及所述第二NF具有接收所述第三NF提供的网络功能服务的权限。The method according to any one of claims 12 to 17, wherein the subscription response also carries the token or authorization result, and the authorization result includes that the first NF has the agent of the second NF to send the The third NF has the right to subscribe to the network function service and the second NF has the right to receive the network function service provided by the third NF.
  19. 如权利要求12~18任一项所述的方法,其特征在于,所述第三NF向所述第一NF发送通知,所述通知中携带所述令牌或授权结果,所述授权结果包括第一NF具有代理所述第二NF向所述第三NF订阅网络功能服务的权限以及所述第二NF具有接收所述第三NF提供的网络功能服务的权限。The method according to any one of claims 12 to 18, wherein the third NF sends a notification to the first NF, and the notification carries the token or authorization result, and the authorization result includes The first NF has the authority to subscribe network function services from the third NF on behalf of the second NF, and the second NF has the authority to receive network function services provided by the third NF.
  20. 一种代理订阅系统,其特征在于,包括:A proxy subscription system is characterized by comprising:
    第一网络功能NF,用于向网络功能存储功能NRF发送令牌请求,所述令牌请求包括所述第一NF的标识和所述第二NF的标识;The first network function NF is configured to send a token request to the network function storage function NRF, where the token request includes the identity of the first NF and the identity of the second NF;
    所述NRF,用于从所述第一NF接收所述令牌请求,基于所述令牌请求,生成令牌,并向所述第一NF发送令牌;其中,所述令牌用于指示所述第一NF是否具有代理所述第二NF向所述第三NF订阅网络功能服务的权限,以及用于指示所述第二NF是否具有接收第三NF提供的网络功能服务的权限。The NRF is configured to receive the token request from the first NF, generate a token based on the token request, and send the token to the first NF; wherein the token is used to indicate Whether the first NF has the authority to subscribe to the third NF for network function services on behalf of the second NF, and is used to indicate whether the second NF has the authority to receive network function services provided by the third NF.
  21. 如权利要求20所述的系统,其特征在于,所述第一NF还用于向所述第三NF发送订阅请求,所述订阅请求中携带所述令牌。The system according to claim 20, wherein the first NF is further configured to send a subscription request to the third NF, and the subscription request carries the token.
  22. 如权利要求20或21所述的系统,其特征在于,所述系统还包括:The system according to claim 20 or 21, wherein the system further comprises:
    所述第三NF,用于从所述第一NF接收订阅请求,对所述订阅请求中携带的令牌进行校验,获得校验结果;其中,若校验成功,则所述第一NF具有代理所述第二NF向所述第三NF订阅网络功能服务的权限,以及所述第二NF具有接收所述第三NF提供的网络功能服务的权限;若校验不成功,则所述第一NF不具有代理所述第二NF向所述第三 NF订阅网络功能服务的权限,以及所述第二NF不具有接收所述第三NF提供的网络功能服务的权限。The third NF is configured to receive a subscription request from the first NF, verify the token carried in the subscription request, and obtain a verification result; wherein, if the verification is successful, the first NF Has the authority to subscribe network function services to the third NF on behalf of the second NF, and the second NF has the authority to receive network function services provided by the third NF; if the verification is unsuccessful, the The first NF does not have the authority to subscribe network function services from the third NF on behalf of the second NF, and the second NF does not have the authority to receive network function services provided by the third NF.
  23. 如权利要求22所述的系统,其特征在于,所述第三NF还用于向所述第一NF发送订阅响应,所述订阅响应中携带所述令牌或授权结果;所述授权结果包括第一NF具有代理所述第二NF向所述第三NF订阅网络功能服务的权限以及所述第二NF具有接收所述第三NF提供的网络功能服务的权限;The system of claim 22, wherein the third NF is further configured to send a subscription response to the first NF, and the subscription response carries the token or authorization result; the authorization result includes The first NF has the authority to subscribe to the third NF for network function services on behalf of the second NF, and the second NF has the authority to receive network function services provided by the third NF;
    所述第一NF,还用于从所述第三NF接收所述订阅响应。The first NF is also used to receive the subscription response from the third NF.
  24. 如权利要求22或23所述的系统,其特征在于,所述第三NF还用于在校验成功时向所述第二NF发送授权通知,所述授权通知包含授权结果,所述授权结果包括所述第二NF具有接收所述第三NF提供的网络功能服务的权限The system according to claim 22 or 23, wherein the third NF is further configured to send an authorization notification to the second NF when the verification succeeds, the authorization notification includes an authorization result, and the authorization result Including that the second NF has the authority to receive network function services provided by the third NF
    所述第二NF还用于从所述第三NF接收所述授权通知。The second NF is also used to receive the authorization notification from the third NF.
  25. 如权利要求22~24任一项所述的系统,其特征在于,所述校验包括以下一项或多项:对所述令牌进行完整性校验、校验所述令牌是否用于指示第二NF具有接收第三NF提供的网络功能服务的权限、校验所述令牌的有效性、校验令牌中包含的服务提供者的标识是否与所述第三NF的标识相同、以及校验所述令牌与所述第三NF存储的令牌是否一致。The system according to any one of claims 22 to 24, wherein the verification includes one or more of the following: performing integrity verification on the token, and verifying whether the token is used for Indicate that the second NF has the authority to receive the network function service provided by the third NF, verify the validity of the token, verify whether the identity of the service provider contained in the token is the same as the identity of the third NF, And verify whether the token is consistent with the token stored in the third NF.
  26. 如权利要求22~25任一项所述的系统,其特征在于,所述第三NF还用于向所述第一NF发送通知,所述通知中携带所述令牌或授权结果,所述授权结果包括所述第二NF具有接收第一NF具有代理所述第二NF向所述第三NF订阅网络功能服务的权限以及所述第三NF提供的网络功能服务的权限;The system according to any one of claims 22 to 25, wherein the third NF is also used to send a notification to the first NF, and the notification carries the token or authorization result, and the The authorization result includes that the second NF has the right to receive that the first NF has the right to subscribe network function services to the third NF on behalf of the second NF and the network function service provided by the third NF;
    所述第一NF还用于从所述第三NF接收所述通知。The first NF is also used to receive the notification from the third NF.
  27. 如权利要求20~26任一项所述的系统,其特征在于,所述令牌请求包括所述第一NF的标识和所述第二NF的标识。The system according to any one of claims 20 to 26, wherein the token request includes an identification of the first NF and an identification of the second NF.
  28. 一种代理订阅的授权装置,其特征在于,包括:An authorization device for proxy subscription, which is characterized by comprising:
    处理器,用于与存储器耦合,调用所述存储器中的程序,执行所述程序以实现如权利要求1-4任意一项所述的方法。The processor is configured to be coupled with the memory, call the program in the memory, and execute the program to implement the method according to any one of claims 1-4.
  29. 一种代理订阅的授权装置,其特征在于,包括:An authorization device for proxy subscription, which is characterized by comprising:
    处理器,用于与存储器耦合,调用所述存储器中的程序,执行所述程序以实现如权利要求5-11任意一项所述的方法。The processor is configured to be coupled with the memory, call the program in the memory, and execute the program to implement the method according to any one of claims 5-11.
  30. 一种代理订阅的授权装置,其特征在于,包括:An authorization device for proxy subscription, which is characterized by comprising:
    处理器,用于与存储器耦合,调用所述存储器中的程序,执行所述程序以实现如权利要求12-19任意一项所述的方法。The processor is configured to be coupled with the memory, call the program in the memory, and execute the program to implement the method according to any one of claims 12-19.
PCT/CN2020/074251 2019-04-29 2020-02-04 Proxy subscription authorization method and device WO2020220783A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/CN2020/082780 WO2020220919A1 (en) 2019-04-29 2020-04-01 Authorization method and device for proxy subscription

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
CN201910356654 2019-04-29
CN201910356654.0 2019-04-29
CN201910888767.5A CN111865888B (en) 2019-04-29 2019-09-19 Proxy subscription authorization method and device
CN201910888767.5 2019-09-19

Publications (1)

Publication Number Publication Date
WO2020220783A1 true WO2020220783A1 (en) 2020-11-05

Family

ID=72970606

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/074251 WO2020220783A1 (en) 2019-04-29 2020-02-04 Proxy subscription authorization method and device

Country Status (2)

Country Link
CN (2) CN115361183A (en)
WO (1) WO2020220783A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113111339A (en) * 2021-05-13 2021-07-13 数字广东网络建设有限公司 Access control method, device, equipment and medium for application service

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP4287557A4 (en) * 2021-02-21 2024-03-06 Huawei Technologies Co., Ltd. Service authorization method, system, and communication device
CN115623576A (en) * 2021-07-13 2023-01-17 华为技术有限公司 Data synchronization method, device and system
CN115915137A (en) * 2021-08-09 2023-04-04 华为技术有限公司 Network function service authorization method and device
WO2023092504A1 (en) * 2021-11-26 2023-06-01 Oppo广东移动通信有限公司 Subscription control method and apparatus, and computer device and storage medium
CN114867003A (en) * 2022-06-07 2022-08-05 中国电信股份有限公司 Cross-network request method, system, device, equipment and storage medium
WO2024103374A1 (en) * 2022-11-18 2024-05-23 Oppo广东移动通信有限公司 Processing method and apparatus for proxy subscription, and computer device and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014032543A1 (en) * 2012-08-30 2014-03-06 中兴通讯股份有限公司 Authentication and authorization processing method and apparatus
CN108206803A (en) * 2016-12-16 2018-06-26 腾讯科技(深圳)有限公司 Business acts on behalf processing method and processing device
WO2018172182A1 (en) * 2017-03-21 2018-09-27 Telefonaktiebolaget Lm Ericsson (Publ) Smf selection based on supported dnn
CN109688586A (en) * 2017-10-19 2019-04-26 中兴通讯股份有限公司 A kind of method, apparatus and computer readable storage medium of network function certification

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101867590B (en) * 2009-04-14 2013-04-24 华为技术有限公司 Subscription method based on session initiation protocol, and device thereof
CN108632312B (en) * 2017-03-20 2020-01-17 中国移动通信有限公司研究院 Network function information interaction method and device
CN108632216B (en) * 2017-03-20 2020-10-16 电信科学技术研究院 Network function authorization method, device, readable storage medium and entity equipment
CN109274512B (en) * 2017-07-17 2021-12-07 中兴通讯股份有限公司 Management method and device for proxy call service control function
CN109587187B (en) * 2017-09-28 2024-08-02 华为技术有限公司 Method, device and system for calling network function service
US10671462B2 (en) * 2018-07-24 2020-06-02 Cisco Technology, Inc. System and method for message management across a network

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014032543A1 (en) * 2012-08-30 2014-03-06 中兴通讯股份有限公司 Authentication and authorization processing method and apparatus
CN108206803A (en) * 2016-12-16 2018-06-26 腾讯科技(深圳)有限公司 Business acts on behalf processing method and processing device
WO2018172182A1 (en) * 2017-03-21 2018-09-27 Telefonaktiebolaget Lm Ericsson (Publ) Smf selection based on supported dnn
CN109688586A (en) * 2017-10-19 2019-04-26 中兴通讯股份有限公司 A kind of method, apparatus and computer readable storage medium of network function certification

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113111339A (en) * 2021-05-13 2021-07-13 数字广东网络建设有限公司 Access control method, device, equipment and medium for application service
CN113111339B (en) * 2021-05-13 2023-12-19 数字广东网络建设有限公司 Access control method, device, equipment and medium for application service

Also Published As

Publication number Publication date
CN115361183A (en) 2022-11-18
CN111865888B (en) 2022-08-19
CN111865888A (en) 2020-10-30

Similar Documents

Publication Publication Date Title
WO2020220783A1 (en) Proxy subscription authorization method and device
JP7217303B2 (en) Systems and methods for application-friendly protocol data unit (PDU) session management
US12052233B2 (en) Identity verification method for network function service and related apparatus
US11844014B2 (en) Service authorization for indirect communication in a communication system
CN111031571B (en) Network slice access control method and device
JP7027558B2 (en) Authorization revocation method and equipment
EP3955538A1 (en) Communication method and communication device
CN112073919B (en) Communication method and device for multicast broadcast service, electronic equipment and storage medium
WO2020220919A1 (en) Authorization method and device for proxy subscription
CN111565404A (en) Data distribution method and device
CN111615217A (en) Session establishment method and device
JP2024081633A (en) Processing of service request
JP2024509940A (en) Methods, systems, and computer-readable media for proxy authorization in a service communication proxy (SCP)
US20240048986A1 (en) Communication method and apparatus
WO2021047403A1 (en) Authorization method and device in a plurality of nrf scenarios
JP2024509941A (en) Method, system, and computer-readable medium for delegated authorization in a security edge protection proxy (SEPP)
KR20240014536A (en) Session management function entity discovery methods, network function nodes, access and mobility management function entities, electronic devices and computer-readable storage media.
WO2022121589A1 (en) Data information acquisition methods and apparatus, related device, and medium
WO2010121645A1 (en) Priority service invocation and revocation
CN112752352B (en) Method and equipment for determining I-SMF (intermediate session management function)
WO2023016255A1 (en) Network function service authorization method and apparatus
CN113748699B (en) Service authorization for indirect communication in a communication system
US11709725B1 (en) Methods, systems, and computer readable media for health checking involving common application programming interface framework
WO2024179262A1 (en) Communication method and communication apparatus
US8627505B2 (en) Technique for controlling access by a client entity to a service

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20798308

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20798308

Country of ref document: EP

Kind code of ref document: A1