WO2023011630A1

WO2023011630A1 - Authorization verification method and apparatus

Info

Publication number: WO2023011630A1
Application number: PCT/CN2022/110535
Authority: WO
Inventors: 吴义壮; 吴�荣
Original assignee: 华为技术有限公司
Priority date: 2021-08-06
Filing date: 2022-08-05
Publication date: 2023-02-09
Also published as: CN115706997A

Abstract

Provided in the present application is an authorization verification method. The method may comprise: a first network element receiving a service request message associated with a second network element, wherein the service request message is used for requesting a first service, which is provided by the first network element for the second network element, the service request message comprises an access token, the access token comprises an identifier of a first network function (NF) set, and the identifier of the first NF set is used for indicating a service request network element to which the access token is applicable; and the first network element determining, according to the identifier of the first NF set, whether to authorize the second network element to use the first service. In the present application, whether a network element that requests for a service belongs to an NF set corresponding to an access token carried in a request message is verified, so as to determine whether to authorize the network element, such that a malicious NF service consumer can be blocked from using the access token in an unauthorized manner to acquire a service.

Description

Method and device for authorization verification

This application claims the priority of the Chinese patent application with the application number 202110904483.8 and the application title "Method and Device for Authorization Verification" submitted to the China Patent Office on August 06, 2021, the entire contents of which are incorporated in this application by reference.

technical field

The present application relates to the technical field of communications, and in particular to a method and device for authorization verification.

Background technique

In the fifth generation (5th generation, 5G) service-oriented system architecture, the two parties communicating based on the service-oriented interface are called service consumer and service provider respectively. Wherein, a party requesting a service is called a service consumer (also called a service requesting network element), and a party providing a service is called a service provider (also called a service providing network element). When an NF service consumer requests a service from an NF service provider, the network function (network function, NF) service provider needs to perform an authorization check on the service requested by the NF service consumer, that is, check whether the NF service consumer is authorized to use the requested service , through the authorization process to ensure that service consumers obtain authorized services, and prevent malicious NF service consumers from overreaching or illegally using services. For example, the NF service requester first obtains an access token, and carries the access token in the service request message sent to the NF service provider, and the NF service provider performs an authorization check on the service request based on the access token.

On the other hand, in order to ensure that the network is more reliable, the concept of NF set (set) is introduced. For example, NF set can be a group of interchangeable NF instances that have the same type, support the same network slice, and for example, NF instances in the same NF set can be deployed in different geographical locations, but can access the same context data. In scenarios such as faults or load balancing, any NF in the NF set can be replaced by other NFs in the NF Set, thereby achieving the purpose of load balancing or disaster recovery between NFs and ensuring the reliability of the network.

In the NF set scenario, how to reduce frequent application for access tokens and avoid unauthorized or illegal use of access tokens to obtain services is an urgent problem to be solved.

Contents of the invention

This application provides an authorization verification method to prevent malicious NF service consumers from using access tokens to obtain services beyond their authority.

In a first aspect, a method for authorization verification is provided, the method includes: a first network element receives a service request message associated with a second network element, and the service request message is used to request the first network element to send the second network element The first service provided by the element, the service request message includes an access token, and the access token includes the identifier of the first network function NF set, and the identifier of the first NF set is used to indicate the service requesting network element to which the access token applies ; The first network element determines whether to authorize the second network element to use the first service according to the identifier of the first NF set.

Wherein, the service requesting network element applicable to the access token may specifically mean that only the applicable service requesting network element may use the access token to obtain the service, or any network element that does not belong to the scope of the applicable service requesting network element Neither element can use the access token to obtain services. For example, if the identifier of the first NF set indicates NF1, NF2... and NFn, any NF that does not belong to NF1, NF2... and NFn cannot use the access token. And whether an NF in the NFn can use the access token to obtain the service may also need to be judged according to other conditions. This application does not limit this.

Based on the above technical solution, when the second network element requests the first service from the first network element, the first network element determines whether to authorize or not according to the identifier of the first NF set in the access token carried in the request message The second network element uses the first service, so that malicious NF service consumers can be prevented from using the access token to obtain services beyond their authority.

The service request message is associated with the second network element. It can be understood that the service request message received by the first network element directly from the second network element, or the service request message received by the first network element through the service communication agent network element The second network element provides a service request message for the service. For example, in the direct communication scenario, the first network element receives the service request message from the second network element; in the indirect communication scenario, the first network element receives the service request message from the service communication proxy network element.

The first network element may be a service providing network element, and the second network element may be a service requesting network element. The first network element determines whether to authorize the second network element to use the first service according to the identifier of the first NF set. It can also be understood that the first network element determines whether the second network element Whether the element is authorized to use the first service; or it can also be understood that the first network element determines to provide the first service to the second network element or refuses to provide the first service to the second network element according to the identifier of the first NF set; Or it can also be understood that, according to the identifier of the first NF set, the first network element provides the requested first service (or executes the first service) and sends a response message, or sends a response message indicating that the service request fails; or It can be understood that, according to the identifier of the first NF set, the first network element provides the requested first service (or executes the first service) and sends a response message, or sends a response message indicating that the service request is rejected.

The specific manifestation of the first network element determining whether to authorize the second network element to use the first service may be: when the second network element is authorized to use the first service, the first network element providing the first service to the second network element; or, if the second network element is not authorized to use the first service, the first network element rejects the service request message to reject The second network element requests the first service.

It should be understood that the access token is protected by security, such as integrity protection, so that malicious NF service consumers can avoid tampering with parameters in the access token.

With reference to the first aspect, in some implementation manners of the first aspect, the first network element determines whether to authorize the second network element to use the first NF service according to the identifier of the first NF set, including: the first The network element determines whether the second network element belongs to the first NF set indicated by the identifier of the first NF set; if the second network element does not belong to the first NF set, the first network element refuses to send The second network element provides the first service. If the second network element does not belong to the first NF set, the first network element directly refuses to provide the first service to the second network element; or, when the second network element does not belong to the first NF set In this case, the first network element sends a response message indicating that the service request fails; or, when the second network element does not belong to the first NF set, the first network element sends a response message indicating that the service request is rejected; or, in When the second network element does not belong to the first NF set, the first network element determines that the second network element is not authorized to use the access token (or is not authorized to use the first service), so that the first network element Refusing to provide the first service to the second network element.

With reference to the first aspect, in some implementation manners of the first aspect, the first network element determines whether to authorize the second network element to use the first NF service according to the identifier of the first NF set, including: the first The network element obtains the identifier of the first NF set according to the access token; the first network element determines whether the second network element belongs to the first NF set indicated by the identifier of the first NF set according to the identifier of the first NF set ; If the second network element does not belong to the first NF set, the first network element refuses to provide the first service to the second network element.

That is, the first network element judges according to the identifier of the first NF set whether the second network element belongs to the first NF set indicated by the identifier of the first NF set, thereby judging whether to authorize the second network element to use the first service, or whether providing the first service to the second network element;

Based on the above technical solution, by verifying whether the second network element belongs to the first NF set to determine whether to authorize the second network element to use the first NF service, it is possible to prevent malicious NF service consumers from using the access token to obtain services beyond their authority.

With reference to the first aspect, in some implementation manners of the first aspect, the first network element determines whether to authorize the second network element to use the first service according to the identifier of the first NF set, including: the first network element The element sends a first verification request message to the third network element, where the first verification request message is used to request to verify whether the second network element belongs to the first NF set indicated by the identifier of the first NF set, and the first verification request The message includes the identifier of the second network element and the identifier of the first NF set; the first network element receives indication information from the third network element; the first network element determines whether the second network element is based on the indication information belong to the first NF set; if the second network element does not belong to the first NF set, the first network element refuses to provide the first service to the second network element.

The specific manifestation of the first network element's refusal to provide the first service to the second network element may be: the first network element sends a service response message to the second network element, and the service response message is used to indicate the refusal to provide the first service The first service, or the response message is used to indicate that the service request fails. Optionally, the service response message further includes a reason for the rejection, for example, the reason for the rejection may be that the verification of the access token fails.

Based on the above technical solution, the third network element determines whether to authorize the second network element to use the first service, which can prevent malicious NF service consumers from using the access token to obtain services beyond their authority.

With reference to the first aspect, in some implementation manners of the first aspect, the first network element determines whether to authorize the second network element to use the first service according to the identifier of the first NF set, including: the first network element The element sends a second verification request message to the third network element, where the second verification request message is used to request to obtain the identifier of the NF set to which the second network element belongs, and the second verification request message includes the identifier of the second network element; The first network element receives the identity of the second NF set from the third network element; if the identity of the second NF set is different from the identity of the first NF set, the first network element refuses to send the The second network element provides the first service.

Based on the above technical solution, the third network element obtains the identifier of the NF set to which the second network element belongs to determine whether the second network element belongs to the first NF set, so as to determine whether the second network element has the authority to request the first service, In this way, malicious NF service consumers can be prevented from using the access token beyond authorization.

With reference to the first aspect, in some implementation manners of the first aspect, the first network element determines whether to authorize the second network element to use the first service according to the identifier of the first NF set, including: the first network element The element sends a third verification request message to the third network element, where the third verification request message is used to request to obtain the identifier of the NF included in the first NF set indicated by the identifier of the first NF set, and the third verification request message includes The identity of the first NF set; the first network element receives the identity of the NF included in the first NF set from the third network element; the identity of the NF included in the first NF set does not include the second network element In the case of the identifier, the first network element refuses to provide the first service to the second network element.

Based on the above technical solution, the third network element obtains the identifier of the NF included in the first NF set to determine whether the second network element belongs to the first NF set, so as to determine whether the second network element has the right to request the first service. Prevent malicious NF service consumers from using access tokens to obtain services beyond their authority.

It should be noted that, in the case that the second network element belongs to the first NF set, other parameters in the access token need to be further verified (for example, parameters such as the expected service name and NF type in the access token need to be verified. verification), the first network element determines that the second network element is authorized to use the first service only when the verification is passed.

With reference to the first aspect, in some implementation manners of the first aspect, the first network element determining whether the second network element belongs to the first NF set indicated by the identifier of the first NF set includes: the first network element The element determines whether the second network element belongs to the first NF set according to the configuration information and the identifier of the second network element, where the configuration information includes the identifier of the NF in the first NF set and/or the second network element belongs to The identity of the NF set.

With reference to the first aspect, in some implementation manners of the first aspect, before the first network element determines whether the second network element belongs to the first NF set according to the configuration information and the identifier of the second network element, the The method also includes: saving the configuration information by the first network element.

With reference to the first aspect, in some implementations of the first aspect, the access token further includes other verification conditions, and the method further includes: the first network element determines whether to authorize the second network element according to the other verification conditions The first service is used, wherein the other verification conditions include one or more of the following: the service provider’s NF instance identifier, the service provider’s NF type, the service provider’s single network slice selection auxiliary information, the service provider’s network The slice instance ID, the ID of the NF set to which the service provider belongs, the desired service name, and the valid time of the access token.

With reference to the first aspect, in some implementation manners of the first aspect, the first network element determines whether to authorize the second network element to use the first service according to the identifier of the first NF set, including: when the second When the network element belongs to the first NF set indicated by the identifier of the first NF set, and the other verification condition is verified, the first network element determines to authorize the second network element to use the first service.

With reference to the first aspect, in some implementation manners of the first aspect, the first network element determines whether to authorize the second network element to use the first service according to the identifier of the first NF set, including: when the second When the network element does not belong to the first NF set indicated by the identifier of the first NF set, and/or any one of the other verification conditions fails to pass the verification, the first network element refuses to provide services to the second network element .

It should be noted that, this embodiment of the present application does not limit the order in which the first network element verifies whether the second network element belongs to the first NF set indicated by the identifier of the first NF set and verifies other verification conditions.

Based on the above technical solution, determine whether the second network element belongs to the first NF set through local configuration information, so as to determine whether the second network element has the authority to request the first service, and prevent malicious NF service consumers from using access tokens beyond their authority Get service.

With reference to the first aspect, in some implementation manners of the first aspect, the method further includes: the first network element obtains the identity of the second network element from the certificate of the second network element; or, the first network element The element receives the client credentials assertion (client credentials assertion, CCA) of the second network element from the service communication agent network element, wherein, the identifier of the second network element is included in the CCA; or, the first network element receives from the service The identifier of the second network element is obtained from the request message.

Based on the above technical solution, the identification of the second network element is obtained through the certificate of the second network element or the CCA of the second network element, and the identification is used to determine whether the second network element has the right to use the first service, which can avoid malicious NF The service consumer uses the access token beyond authorization to obtain the service.

With reference to the first aspect, in some implementations of the first aspect, the access token further includes an identifier of a fourth network element, and the identifier of the fourth network element is used to indicate that the access token is requested by the fourth network element obtained, and the fourth network element belongs to the first NF set indicated by the identity of the first NF set; the method further includes: the first network element determining the identity of the second network element and the fourth network element The logos are different.

Based on the above technical solution, it may be determined whether the second network element is the network element requesting to obtain the access token, and if so, it is not necessary to verify whether the second network element belongs to the first NF set indicated by the first NF set identifier; If not, it needs to be verified whether the second network element belongs to the first NF set indicated by the first NF set identifier, so that malicious NF service consumers can be prevented from using access tokens to obtain services beyond their authority, and the information used for verification can be reduced. To consume.

With reference to the first aspect, in some implementations of the first aspect, the method further includes: when the first network element determines that the second network element belongs to the first NF set and identifies the indicated first NF set Next, the first network element stores the association relationship between the identifier of the second network element and the identifier of the first NF set.

Based on the above technical solution, when it is determined that the second network element belongs to the first NF set, that is, when it is determined that the second network element has the right to request the first service, the association between the identity of the second network element and the first NF set is saved relationship, so that when the subsequent second network element requests the first service again, the complicated verification process can be avoided, and resources can be saved.

With reference to the first aspect, in some implementation manners of the first aspect, the third network element is a network storage function network element.

In a second aspect, a method for authorization verification is provided, the method includes: a third network element receives a first verification request message from a first network element, and the first verification request message is used to request verification whether the second network element Belonging to the first NF set indicated by the identity of the first NF set, the first verification request message includes the identity of the second network element and the identity of the first NF set; the third network element according to the second network element The identification of the first NF set and the identification of the first NF set determine whether the second network element belongs to the first NF set; the third network element sends indication information to the first network element, and the indication information is used to indicate the second network element Whether it belongs to the first NF set.

With reference to the second aspect, in some implementation manners of the second aspect, the third network element determines whether the second network element belongs to the first NF set according to the identifier of the second network element and the identifier of the first NF set , including: the third network element determines the identity of the NF set to which the second network element belongs according to the identity of the second network element and the configuration information of the second network element, and the identity of the NF set to which the second network element belongs If it matches the identifier of the first NF set, the third network element determines that the second network element belongs to the first NF set; otherwise, the third network element determines that the second network element does not belong to the First NF set.

With reference to the second aspect, in some implementation manners of the second aspect, the third network element determines whether the second network element belongs to the first NF set according to the identifier of the second network element and the identifier of the first NF set , including: the third network element determines the identity of the NF in the first NF set according to the identity of the first NF set and the configuration information of the first NF set, when the identity of the NF in the first NF set includes the second In the case of the identity of the network element, the third network element determines that the second network element belongs to the first NF set; otherwise, the third network element determines that the second network element does not belong to the first NF set.

With reference to the second aspect, in some implementations of the second aspect, the method further includes: the third network element receiving a fourth request message from the fourth network element, where the fourth request message includes an identifier of the first NF set , the fourth request message is used to request to obtain an access token, the access token is used for the NF request NF service of the first NF set, the fourth network element belongs to the first NF set; the third network element according to the configuration The information determines whether the fourth network element belongs to the first NF set. If the fourth network element belongs to the first NF set, the third network element sends the access token to the fourth network element.

In a third aspect, a method for authorization verification is provided, the method includes: a third network element receives a second verification request message from the first network element, and the second verification request message is used to request to obtain the An identification of the NF set, the second verification request message includes the identification of the second network element; the third network element determines the identification of the NF set to which the second network element belongs according to the identification of the second network element; the third network element Send the identifier of the second NF set to the second network element, where the second NF set is the NF set to which the second network element belongs.

With reference to the third aspect, in some implementation manners of the third aspect, the method further includes: the third network element receiving a fourth request message from the fourth network element, where the fourth request message includes an identifier of the first NF set , the fourth request message is used to request to obtain an access token, the access token is used for the NF request NF service of the first NF set, the fourth network element belongs to the first NF set; the third network element according to the configuration The information determines whether the fourth network element belongs to the first NF set. In the case that the fourth network element belongs to the first NF set, the third network element sends the access token to the fourth network element.

In a fourth aspect, a method for authorization verification is provided, the method includes: a third network element sends a third verification request message to the first network element, and the third verification request message is used to request to obtain the identifier of the first NF set The identifier of the NF included in the indicated first NF set, the third verification request message includes the identifier of the first NF set; the third network element determines the NF included in the first NF set according to the identifier of the first NF set The identifier of the NF: the third network element sends the identifiers of the NFs included in the first NF set to the first network element.

With reference to the fourth aspect, in some implementation manners of the fourth aspect, the method further includes: the third network element receiving a fourth request message from the fourth network element, where the fourth request message includes an identifier of the first NF set , the fourth request message is used to request to obtain an access token, the access token is used for the NF request NF service of the first NF set, the fourth network element belongs to the first NF set; the third network element according to the configuration The information determines whether the fourth network element belongs to the first NF set. If the fourth network element belongs to the first NF set, the third network element sends the access token to the fourth network element.

In a fifth aspect, a device for authorization verification is provided, the device includes: a transceiver unit, configured to receive a service request message associated with a second network element, and the service request message is used to request the first network element to send a request to the second network element The first service provided by the network element, the service request message includes an access token, and the access token includes the identifier of the first network function NF set, and the identifier of the first NF set is used to indicate the service requesting network to which the access token is applicable. element: a processing unit, configured to determine whether to authorize the second network element to use the first service according to the identifier of the first NF set.

With reference to the fifth aspect, in some implementation manners of the fifth aspect, the processing unit is specifically configured to: determine whether the second network element belongs to the first NF set indicated by the identifier of the first NF set; If the network element does not belong to the first NF set, refuse to provide the first service to the second network element.

With reference to the fifth aspect, in some implementation manners of the fifth aspect, the processing unit is specifically configured to: obtain the identifier of the first NF set according to the access token; determine the second network element according to the identifier of the first NF set Whether it belongs to the first NF set indicated by the identifier of the first NF set; if the second network element does not belong to the first NF set, refuse to provide the first service to the second network element.

With reference to the fifth aspect, in some implementations of the fifth aspect, it is characterized in that the transceiver unit is specifically configured to: send a first verification request message to a third network element, where the first verification request message is used to request verification of the Whether the second network element belongs to the first NF set indicated by the identifier of the first NF set, the first verification request message includes the identifier of the second network element and the identifier of the first NF set; The third network element receives the indication information; the processing unit is specifically configured to: determine whether the second network element belongs to the first NF set according to the indication information; if the second network element does not belong to the first NF set , refusing to provide the first service to the second network element.

With reference to the fifth aspect, in some implementations of the fifth aspect, the transceiver unit is specifically configured to: send a second verification request message to the third network element, where the second verification request message is used to request to obtain the second network element The identification of the NF set to which the second verification request message includes the identification of the second network element; receiving the identification of the second NF set from the third network element; the processing unit is specifically configured to: in the second NF set If the identifier is not the same as the identifier of the first NF set, refuse to provide the first service to the second network element.

With reference to the fifth aspect, in some implementation manners of the fifth aspect, the transceiver unit is specifically configured to: the first network element sends a third verification request message to a third network element, and the third verification request message is used to request to obtain The identifier of the NF included in the first NF set indicated by the identifier of the first NF set, the third verification request message includes the identifier of the first NF set; the first network element receives the first NF from the third network element The identifier of the NF included in the NF set; the processing unit is specifically configured to: refuse to provide the first network element to the second network element when the identifier of the NF included in the first NF set does not include the identifier of the second network element Serve.

With reference to the fifth aspect, in some implementation manners of the fifth aspect, the processing unit is specifically configured to: the first network element determines whether the second network element belongs to the second network element according to the configuration information and the identifier of the second network element. A set of NFs, the configuration information includes the identifiers of the NFs in the first set of NFs and/or the identifiers of the set of NFs to which the second network element belongs.

With reference to the fifth aspect, in some implementations of the fifth aspect, the transceiving unit is further configured to: acquire the identity of the second network element from the certificate of the second network element; or receive The client certificate declaration CCA of the second network element, wherein the CCA includes the identifier of the second network element; or, the identifier of the second network element is obtained from the service request message.

With reference to the fifth aspect, in some implementation manners of the fifth aspect, the access token further includes an identifier of a fourth network element, where the fourth network element belongs to the first NF set indicated by the identifier of the first NF set, The identifier of the fourth network element is used to indicate that the access token is requested by the fourth network element; the processing unit is further configured to: determine that the identifier of the first network element is different from the identifier of the fourth network element.

With reference to the fifth aspect, in some implementation manners of the fifth aspect, the processing unit is further configured to: when it is determined that the second network element belongs to the first NF set identifying the indication of the first NF set, save The association relationship between the identifier of the second network element and the identifier of the first NF set.

With reference to the fifth aspect, in some implementation manners of the fifth aspect, the third network element is a network storage function network element.

With reference to the fifth aspect, in some implementations of the fifth aspect, the access token further includes other verification conditions, and the processing unit is further configured to: determine whether to authorize the second network element to use the second network element according to the other verification conditions. A service, wherein the other verification conditions include one or more of the following: the NF instance identifier of the service provider, the NF type of the service provider, the single network slice selection auxiliary information of the service provider, and the network slice instance identifier of the service provider , the identifier of the NF set to which the service provider belongs, the desired service name, and the valid time of the access token.

With reference to the fifth aspect, in some implementation manners of the fifth aspect, the processing unit is specifically configured to: when the second network element belongs to the first NF set indicated by the identifier of the first NF set, and the other verification condition When the verification passes, it is determined that the second network element is authorized to use the first service.

With reference to the fifth aspect, in some implementation manners of the fifth aspect, the processing unit is specifically configured to: when the second network element does not belong to the first NF set indicated by the identifier of the first NF set, and/or the When any one of the other verification conditions fails to pass the verification, the second network element is refused to provide services.

A sixth aspect provides a computer-readable storage medium, the computer-readable storage medium stores a computer program, and when the computer program runs on a computer, the computer executes any one of the first to fifth aspects the method described.

In a seventh aspect, a computer program product is provided, the computer program product includes computer program instructions, and when the computer program instructions run on a computer, the computer executes the method described in any one of the first to fifth aspects .

In an eighth aspect, there is provided a communication device, the device includes at least one processor, and the at least one processor is used to execute computer programs or instructions stored in the memory, so as to perform any one of the first to fifth aspects The method.

Description of drawings

Fig. 1 is a schematic diagram of a network structure applicable to the embodiment of the present application.

FIG. 2 and FIG. 3 show schematic diagrams of two communication modes in a direct communication scenario.

FIG. 4 and FIG. 5 show schematic diagrams of two communication modes in an indirect communication scenario.

Fig. 6 shows an exemplary flow chart of a NF service request and authorization method.

Fig. 7 shows an exemplary flow chart of another NF service request and authorization method.

Fig. 8 shows an exemplary flow chart of another NF service request and authorization method.

Fig. 9 shows an exemplary flow chart of an authorization verification method provided by an embodiment of the present application.

Fig. 10 shows an exemplary flow chart of another authorization verification method provided by the embodiment of the present application.

Fig. 11 shows an exemplary flow chart of another authorization verification method provided by the embodiment of the present application.

Fig. 12 shows an exemplary flow chart of another authorization verification method provided by the embodiment of the present application.

Fig. 13 shows an exemplary flow chart of another authorization verification method provided by the embodiment of the present application.

FIG. 14 is a schematic block diagram of an authentication and authorization device provided by an embodiment of the present application.

FIG. 15 is a schematic structural diagram of an authentication and authorization device provided by an embodiment of the present application.

Detailed ways

The technical solution of the embodiment of the present application can be applied to various communication systems, for example: long term evolution (long term evolution, LTE) system, LTE frequency division duplex (frequency division duplex, FDD) system, LTE time division duplex (time division duplex) , TDD) system, universal mobile telecommunication system (universal mobile telecommunication system, UMTS), global interconnection microwave access (worldwide interoperability for microwave access, WiMAX) communication system, 5G system or new radio (new radio, NR), the sixth generation (6th generation, 6G) system or future communication system, etc. The 5G mobile communication system described in this application includes a non-standalone (NSA) 5G mobile communication system or a standalone (standalone, SA) 5G mobile communication system. The communication system may also be a public land mobile network (PLMN) network, a device-to-device (D2D) communication system, a machine-to-machine (M2M) communication system, an Internet of Things (Internet of Things, IoT) communication system or other communication systems.

In order to facilitate understanding of the embodiment of the present application, the network architecture applicable to the embodiment of the present application will first be described in detail with reference to FIG. 1 .

FIG. 1 is a schematic diagram of a network architecture applicable to the method provided by the embodiment of the present application. As shown in FIG. 1 , the network architecture is, for example, the 5G system (the 5h generation system, 5GS) defined by the 3rd generation partnership project (3GPP). The network architecture is a service-oriented system architecture. The network elements in the dotted line box in FIG. 1 are network elements based on service-oriented interface communication, that is, communication between network elements uses a service-oriented interface. The network architecture may include an access network (access network, AN) and a core network (core network, CN), and may also include user equipment (user equipment, UE).

Among them, the access network is used to implement access-related functions, which can provide network access functions for authorized users in a specific area, and can determine transmission links of different qualities to transmit user data according to user levels and service requirements. The access network forwards control signals and user data between the terminal equipment and the core network. The access network may include access network devices, and the access network devices may be devices that provide access for terminal devices, and may include radio access network (radio access network, RAN) devices and AN devices. The (R)AN device is mainly responsible for wireless resource management, quality of service (QoS) management, data compression and encryption on the air interface side. RAN equipment may include various forms of base stations, such as macro base stations, micro base stations (also called small stations), relay stations, access points, and balloon stations. In systems using different radio access technologies, the names of equipment with base station functions may be different, for example, in 5G systems, it is called RAN or next-generation Node basestation (gNB); In a long term evolution (long term evolution, LTE) system, it is called an evolved Node B (evolved NodeB, eNB or eNodeB).

Among them, the core network is responsible for maintaining the subscription data of the mobile network, and providing functions such as session management, mobility management, policy management, and security authentication for the UE. The core network may include the following network elements: user plane function (user plane function, UPF), authentication server function (authentication server function, AUSF), access and mobility management function (access and mobility management function, AMF), session management function (session management function, SMF), network slice selection function (network slice selection function, NSSF), network exposure function (network exposure function, NEF), network function storage function (NF repository function, NRF), policy control function (policy control function, PCF), unified data management (unified data management, UDM) and application function (application function, AF).

The following briefly introduces each network element shown in Figure 1:

1. User equipment (UE): can be called terminal equipment, access terminal, user unit, user station, mobile station, mobile station, remote station, remote terminal, mobile device, user terminal, terminal, wireless communication equipment, User Agent or User Device.

A terminal device may be a device that provides voice/data connectivity to users, for example, a handheld device with a wireless connection function, a vehicle-mounted device, and the like. At present, examples of some terminals can be: mobile phone (mobile phone), tablet computer (pad), computer with wireless transceiver function (such as notebook computer, palmtop computer, etc.), mobile internet device (mobile internet device, MID), virtual reality (virtual reality, VR) equipment, augmented reality (augmented reality, AR) equipment, wireless terminals in industrial control (industrial control), wireless terminals in self driving (self driving), wireless in remote medical (remote medical) Terminals, wireless terminals in smart grid, wireless terminals in transportation safety, wireless terminals in smart city, wireless terminals in smart home, cellular phones, cordless Telephones, session initiation protocol (SIP) phones, wireless local loop (WLL) stations, personal digital assistants (PDAs), handheld devices with wireless communication capabilities, computing devices, or connected Other processing devices to wireless modems, vehicle-mounted devices, wearable devices, terminal devices in the 5G network or terminal devices in the future evolution of the public land mobile network (PLMN), etc.

In addition, the terminal device may also be a terminal device in an Internet of Things (Internet of things, IoT) system. IoT is an important part of the future development of information technology. Its main technical feature is to connect objects to the network through communication technology, so as to realize the intelligent network of human-machine interconnection and object interconnection. IoT technology can achieve massive connections, deep coverage, and terminal power saving through, for example, narrow band NB technology.

In addition, terminal equipment can also include sensors such as smart printers, train detectors, and gas stations. The main functions include collecting data (partial terminal equipment), receiving control information and downlink data from network equipment, and sending electromagnetic waves to transmit uplink data to network equipment. .

It should be understood that the terminal device may be any device that can access the network. A certain air interface technology may be used to communicate with each other between the terminal device and the access network device.

2. Access network (access network, AN): The access network can provide network access functions for authorized users in a specific area, including wireless access network (radio access network, RAN) equipment and AN equipment. The RAN device is mainly a 3GPP network wireless network device, and the AN device may be an access network device defined by non-3GPP.

The access network may be an access network using different access technologies. There are two types of current wireless access technologies: 3GPP access technologies (such as those used in 3G, 4G or 5G systems) and non-3GPP (non-3GPP) access technologies. The 3GPP access technology refers to the access technology that complies with the 3GPP standard specifications. For example, the access network equipment in the 5G system is called the next generation Node Base station (gNB) or RAN. Non-3GPP access technologies refer to access technologies that do not comply with 3GPP standards, such as air interface technologies represented by access points (APs) in wireless fidelity (WiFi), global interconnection microwave access technologies, etc. Access (worldwide interoperability for microwave access, WiMAX), code division multiple access (code division multiple access, CDMA) network, etc. The access network equipment (AN equipment) may allow non-3GPP technology interconnection and intercommunication between the terminal equipment and the 3GPP core network.

An access network that implements access network functions based on wireless communication technologies may be called a RAN. The radio access network can be responsible for functions such as radio resource management, quality of service (QoS) management, data compression and encryption on the air interface side. The wireless access network provides access services for terminal equipment, and then completes the forwarding of control signals and user data between the terminal and the core network.

For example, the radio access network may include but not limited to: a macro base station, a micro base station (also called a small station), a radio network controller (radio network controller, RNC), a node B (Node B, NB), a base station controller (base station controller, BSC), base transceiver station (base transceiver station, BTS), home base station (for example, home evolved NodeB, or home Node B, HNB), baseband unit (baseband unit, BBU), AP in WiFi system, wireless Relay node, wireless backhaul node, transmission point (transmission point, TP) or transmission and reception point (transmission and reception point, TRP), etc., can also be gNB or transmission point (TRP or TRP) in the 5G (for example, NR) system TP), one or a group (including multiple antenna panels) antenna panels of the base station in the 5G system, or it can also be a network node that constitutes a gNB or a transmission point, such as a baseband unit (BBU), or a distributed unit ( distributed unit, DU), or the base station in the next-generation communication 6G system, etc. The embodiment of the present application does not limit the specific technology and specific equipment form adopted by the radio access network equipment.

The access network can provide services for the cells. The terminal device can communicate with the cell through the transmission resources (for example, frequency domain resources, or spectrum resources) allocated by the access network device.

3. AMF network element: mainly used for mobility management and access management, such as user location update, user registration network, user switching, etc. The AMF can also be used to implement other functions in a mobility management entity (mobility management entity, MME) except session management. For example, functions such as lawful interception or access authorization (or authentication).

4. SMF network element: mainly used for session management, UE's internet protocol (internet protocol, IP) address allocation and management, selection of manageable user plane functions, policy control, or termination points of charging function interfaces, and downlink data notification, etc. In this embodiment of the application, the SMF primary user is responsible for session management in the mobile network, such as session establishment, modification, and release. Specific functions may include, for example, assigning an IP address to the terminal device, selecting a UPF that provides a packet forwarding function, and the like.

5. UPF network element: responsible for forwarding and receiving user data in terminal equipment. The UPF network element can receive user data from the data network (data network, DN) and transmit it to the terminal device through the access network device. The UPF network element can also receive user data from the terminal equipment through the access network equipment and forward it to the data network. The transmission resources and scheduling functions that provide services for terminal equipment in the UPF network element are managed and controlled by the SMF network element.

6. Data network (DN): a service network used to provide data services to users, which can be a private network, such as a local area network; or an external network that is not controlled by an operator, such as the Internet; it can also be an operator Commonly deployed proprietary networks, such as networks providing IP multimedia subsystems (IMS). The UE can access the DN through the established protocol data unit (protocol data unit, PDU) session.

7. Authentication server function (AUSF): mainly used for user security authentication.

8. Network exposure function (network exposure function, NEF) network element: mainly used to support the exposure of capabilities and events, such as for safely exposing services and capabilities provided by 3GPP network functions to the outside.

9. Network repository function (NRF): It mainly provides service registration, discovery and authorization, and maintains available network function (network function, NF) instance information, which can realize on-demand configuration of network functions and services and NF interconnection between. Wherein, the service registration means that the NF network element needs to register with the NRF network element before providing the service. Service discovery means that when an NF network element needs other NF network elements to provide services for it, it needs to perform service discovery through the NRF network element first, so as to find the desired NF network element that provides services for it. For example, when the NF network element 1 needs the NF network element 2 to provide services for it, it needs to first perform service discovery through the NRF network element to discover the NF network element 2.

10. PCF network element: a unified policy framework used to guide network behavior, provide policy rule information for control plane functional network elements (such as AMF, SMF network elements, etc.), and be responsible for obtaining user subscription information related to policy decisions, etc.

11. UDM network element: used to generate authentication credentials, user identification processing (such as storing and managing user permanent identities, etc.), access authorization control and contract data management, etc.

12. Application function (application function, AF) network element: mainly supports interaction with the 3GPP core network to provide services, such as influencing data routing decisions, interacting with policy control functions (PCF), or providing third parties to the network side, etc.

13. Service communication proxy (SCP): used to complete the routing and forwarding of service interface signaling. The operator can deploy the SCP according to the needs. The SCP network element can provide routing and forwarding services for the sender of the service interface signaling. The sender of the service interface signaling can be, for example, a certain NF network element. The information of the corresponding SCP network element can be configured on the NF network element, and the SCP network element can provide the service of forwarding messages for the NF network element. In the case that the NF network element needs to use the SCP network element for communication, the NF network element can send a message to the configured SCP network element.

In the network architecture shown in FIG. 1 , network elements can communicate through the interfaces shown in the figure. As shown in the figure, the UE and the AMF may interact through the N1 interface, and the interaction message may be called an N1 message (N1Message), for example. The RAN and the AMF can interact through the N2 interface, and the N2 interface can be used for sending non-access stratum (non-access stratum, NAS) messages, etc. The RAN and UPF can interact through the N3 interface, and the N3 interface can be used to transmit user plane data, etc. The SMF and UPF can interact through the N4 interface, and the N4 interface can be used to transmit information such as the tunnel identification information of the N3 connection, data cache indication information, and downlink data notification messages. The UPF and DN can interact through the N6 interface, and the N6 interface can be used to transmit data on the user plane. The relationship between other interfaces and each network element is shown in FIG. 1 , and for the sake of brevity, details are not described here one by one.

It should be understood that the above-mentioned network architecture applied to the embodiment of the present application is only an example network architecture described from the perspective of a service-oriented architecture, and the network architecture applicable to the embodiment of the present application is not limited thereto. Any network element that can implement the above-mentioned All functional network architectures are applicable to this embodiment of the application.

It should also be understood that AMF, SMF, UPF, network slice selection function (network slice selection function, NSSF), NEF, AUSF, NRF, PCF, and UDM shown in FIG. Functional network elements, for example, can be combined into network slices on demand. These core network elements may be independent devices, or may be integrated into the same device to implement different functions. This application does not limit the specific forms of the above network elements.

It should also be understood that the above names are only defined for the convenience of distinguishing different functions, and shall not constitute any limitation to the present application. This application does not exclude the possibility of using other names in the 5G network and other networks in the future. For example, in a 6G network, some or all of the above network elements may use the terms in 5G, or may use other names. The name of the interface between network elements in FIG. 1 is just an example, and the name of the interface in a specific implementation may be another name, which is not specifically limited in this application. In addition, the name of the message (or signaling) transmitted between the above network elements is only an example, and does not constitute any limitation on the function of the message itself.

In order to facilitate the understanding of the solutions provided by the embodiments of the present application, a communication mode between service network elements is briefly described first.

In the 5G service-based system architecture, the two parties communicating based on the service-based interface are called service consumers and service producers respectively. The party that requests the service is called the service consumer, and the party that provides the service is called the service producer. A service consumer may also be called a consumer, a consuming network element, a user, a requester or a requester or a service consuming network element, etc. A service provider may also be called a providing network element, a service providing network element, a provider, a producer, or a responder, etc., which are not limited in this application.

Communication can be divided into direct communication and indirect communication according to whether the message interaction between the service communication parties passes through the SCP. Service consumers and service providers directly interact with service messages, which is called direct communication. Indirect communication refers to the interaction of messages between service consumers and service providers through one or more SCPs. Indirect communication can also be referred to as indirect communication.

Fig. 2 shows a schematic diagram of a communication mode in a direct communication scenario. In the communication mode shown in Figure 2, there is no need for the participation of NRF network elements, and the information of the service provider is configured on the service consumer. When the service consumer needs to communicate, the service provider is selected according to the local configuration, and the selected service provider is sent to The provider sends a service request message.

Fig. 3 shows a schematic diagram of another communication mode in a direct communication scenario. In the communication mode shown in Figure 3, it is necessary to communicate based on the NRF network element. The service consumer executes the service discovery process through the NRF network element to discover the information of the available service provider, and selects the service provider based on the result of the discovery. And send a service request message to the selected service provider.

Fig. 4 shows a schematic diagram of a communication mode in an indirect communication scenario. In the communication mode shown in FIG. 4 , the service discovery process does not require the SCP to participate, that is, the service consumer directly communicates with the NRF network element to execute the service discovery process to select a corresponding service provider.

Fig. 5 shows a schematic diagram of another communication mode in an indirect communication scenario. The communication mode shown in Figure 5 is based on agent discovery, that is, the service consumer does not directly communicate with the NRF network element, and the SCP network element communicates with the NRF network element on behalf of the service consumer to execute the service discovery process to select the corresponding service provider.

The following introduces a NF service request and authorization method 100 with reference to FIG. 6 . The method 100 is a service request and authorization process in a direct communication scenario. As can be seen from FIG. 6, the method 100 includes:

S101. The NF service consumer sends an access token acquisition request message to the NRF.

In a service-oriented system architecture, when an NF service consumer requests a service from an NF service provider, the NF service provider needs to perform an authorization check on the service requested by the NF service consumer, that is, check whether the NF service consumer is authorized to use the requested Service, only through the authorization check, the NF service provider will provide the corresponding service to the NF service consumer.

For the authorization verification of the service requested by the NF service consumer by the NF service provider, an authorization verification scheme based on an access token (access token) can be used. Before the NF service consumer provides the network element request service to the NF service, the NF service consumer sends an access token acquisition request (Nnrf_AccessToken_Get Request) message to the authorized service network element to request an access token. For convenience, NRF is used here as the authorization The service network element is taken as an example for description.

In one case, an NF service consumer may request an access token for accessing services of an NF service provider of a specific network function type (NF type). In this case, the access token acquisition request message includes the NF instance ID of the NF service consumer, the desired service name, the NF type of the NF service consumer, and the NF type of the NF service provider. Optionally, the access token acquisition request message may also include an additional scope (that is, the requested resource and the requested operation on the resource), the S-NSSAI list or NSI ID list of the desired NF service provider instance, the desired NF Set ID of NF service provider instance, S-NSSAI list of NF service consumer, etc.

In another case, an NF Service Consumer may request an access token for accessing a specific NF Service Provider instance or a service of an NF Service Provider Service Instance. In this case, the access token acquisition request message includes the NF instance ID(s) of the requesting NF service provider, the desired service name, and the NF instance ID of the NF service consumer. Optionally, the access token acquisition request message also includes an additional scope (ie, the requested resource and the requested operation on the resource).

If the NF service consumer wishes to request an access token for any NF request authorized service in the NF set of the NF service consumer, the access token acquisition request message includes the NF set ID, which is used for Identify the NF set to which the NF service consumer belongs.

S102. The NRF verifies whether the NF service consumer is authorized to use the corresponding service.

The authorized network element verifies the parameters in the access token acquisition request message. Exemplarily, the authorized network element verifies whether the parameters carried in the request message (such as NF type, etc.) match the public key certificate or NF profile of the NF service consumer. The authorizing network element also checks whether the NF service consumer is authorized to access the requested service.

If the above verification process is verified, the authorized network element generates an access token, which includes claims, and the claims include the NF instance ID of the authorized network element, the NF instance ID of the NF service consumer, and the NF type of the NF service provider. Desired service name, expiration time, etc. Optionally, the claims may also include additional scopes (allowing the requested resource and the requested operation on the resource), the S-NSSAI list or NSI ID list of the desired NF service provider instance, the desired NF service provider instance NF Set ID, etc.

On the other hand, the authorized network element can perform security protection on the generated access token, where the security protection can be integrity protection. For example, the authorized network element uses the shared key to generate a message authentication code (message authentication code, MAC) for the access token, and the authorized network element can send the MAC and the access token to the NF service consumer, and the MAC is used to verify the access token Whether the information in the claim has been tampered with; or, the authorized network element uses the private key to sign the claims, and the service consumer can verify whether the claims have been tampered with through the signature.

If the NF set ID is included in the access token acquisition request message, the NRF determines whether the access token requested by the NF service consumer is used for all NF service consumer instances in the NF set. If the NRF determines that the NF service consumer is authorized, the NRF includes the NF set ID in the claims.

S103. The authorization network element (NRF) sends an access token acquisition response message to the NF service consumer, where the response message includes the access token.

Exemplarily, if the parameters in the access token acquisition request message are verified, and the NF service requester is authorized to access the requested service, the authorized network element obtains a response (Nnrf_AccessToken_Get Response) message to the NF service for consumption or send the generated access token. The access token acquisition response message may also include other parameters, such as the expiration time of the access token, the scope of the access token request that is allowed to be used, and the like.

Correspondingly, the NF service consumer receives the access token from the authorized network element, and saves the access token, within the validity period, for subsequent access to the service usage of the NF provider type in the claims.

If the authorization verification in S102 fails, the authorized network element sends an error response or a rejection response to the NF service consumer.

S104. The NF service consumer sends an NF service request message to the NF service provider, where the NF service request message is used to request a service from the NF service provider, and the NF service request message includes an access token. Correspondingly, the NF service provider receives the NF service request message from the NF service consumer.

In some cases, the NF consumer requesting the NF service may be different from the NF consumer requesting the access token. At this time, the NF set ID is carried in the NF service request message.

S105. The NF service provider verifies whether the NF service consumer is authorized.

Exemplarily, the NF service provider obtains the access token from the NF service request message, and performs integrity verification on the access token. For example, the NF service request message carries the MAC value generated by the shared key pair of claims in the access token (the shared key is the key shared between the NF service provider and the NRF), and the NF service provider uses The shared key verifies the MAC value; for another example, if the NRF signs the access token, the NF service provider uses the NRF public key to verify the signature.

After the integrity verification is passed, the NF service provider further verifies the claims in the access token:

Verify that the NF instance ID or NF type of the NF service provider in the claims matches its own id or type.

If the claims include S-NSSAIs or NSI IDs, the NF service provider verifies whether it can serve the corresponding slice.

If the claims include the NF Set ID of the NF service provider, the NF service provider verifies whether the NF set ID in the claims matches its own NF Set ID;

If the service service name is included in the claims, the NF service provider verifies whether it matches the requested service operation;

If claims include additional scope information, the NF service provider verifies whether the additional scope matches the requested operation;

The NF service provider compares the expiration time in the access token with the current time to verify whether the access token has expired.

If the NF service request message includes the NF set ID, the NF service provider verifies whether the NF set ID matches the NF set ID in the claims in the access token.

If the above procedures are verified successfully, the NF service provider executes the requested service, and at S106, sends an NF service response message to the NF service consumer. Otherwise, a verification error response message will be returned to the NF service consumer.

The following introduces another NF service request and authorization method 200 in conjunction with FIG. 7 . The method 200 is a service request and authorization process in an indirect communication scenario. For example, the method 200 can be applied to the indirect communication mode shown in FIG. 4 middle. As can be seen from FIG. 7, the method 200 includes:

S201, the NF service consumer executes the discovery process of the NF service provider through the NRF, and discovers available NF service providers.

Further, the NF service provider obtains the access token through NRF.

In a possible implementation (denoted as scheme 1), the NF service consumer directly interacts with the NRF to obtain an access token. Exemplarily:

S202. The NF service consumer sends an access token acquisition request message to the NRF.

S203. The NRF sends an access token acquisition response message to the NF service consumer, where the response message includes the access token.

It should be understood that S202 to S203 are similar to S101 to S103 in method 100. The NF service consumer can request the access token at the granularity of NF type, or the access token at the instance granularity of the NF service provider, and the NRF receives it from the NF service consumer. After the access token acquisition request message, it is necessary to verify whether the NF service consumer is authorized to request the access token (this step is shown in Figure 7). For the specific process, reference may be made to S101 to S103 in the method 100, which will not be repeated here.

It should be noted that, for requesting an access token with NF type granularity, S201 can be executed before S202 or after S203. That is, before the access token acquisition process, if the NF service consumer does not perform the service discovery process, that is, there is no service provider information available on the NF service consumer, the NF service consumer can access the token after the access token acquisition process Then execute the service discovery process. For the access token requesting NF service provider instance granularity, the service discovery process needs to be executed first.

In another possible implementation (denoted as scheme 2), the NF service consumer and the NRF interact to obtain an access token through SCP. Exemplarily:

S204, the NF service consumer sends an access token acquisition request message to the SCP.

The access token acquisition request message includes the client credential statement CCA, and the CCA includes the NF instance ID, timestamp and expiration time, and NF type of the NF consumer. The NF service consumer signs the CCA with the private key, and the signed CCA includes the public key certificate or the certificate chain, or the signed CCA includes the uniform resource locator (uniform resource locator, URL) located to the public key certificate or the certificate chain .

Other parameters included in the access token acquisition request message are similar to the parameters in the access token acquisition request message in S101 of the method 100, and for the sake of brevity, no repeated description is given.

S205, the SCP sends the access token acquisition request message to the NRF.

S206. The NRF verifies whether the NF service consumer is authorized.

Exemplarily, if the access token acquisition request message includes CCA, the NRF authenticates the NF service consumer according to the CCA. If the authentication passes, the NRF further performs an authorization check. The specific process is similar to S102 in the method 100 and will not be described again. If the authorization verification is passed, the NRF generates an access token, and the method of distributing and protecting the access token by the NRF is similar to the relevant content in method 100, and will not be described again.

S207. The NRF sends an access token acquisition response (Nnrf_AccessToken_Get Response) message to the SCP, and the response message includes the access token.

S208, the SCP sends an access token acquisition response (Nnrf_AccessToken_Get Response) message to the NF service consumer, and the response message includes the access token.

S209, the NF service consumer sends an NF service request message to the SCP, where the service request message includes the access token and the CCA.

Correspondingly, the SCP receives the NF Service Request message from the NF. The SCP selects an NF service provider instance and performs application programming interface (application programming interface, API) modification. And at S210, send the received NF service request message to the selected NF service provider instance.

S211. The NF service provider verifies whether the NF service consumer is authorized.

If the CCA is included in the NF Service Request message, the NF Service Provider authenticates the NF Service Consumer by verifying the CCA. Other verification processes are similar to S105 in the method 100 and will not be repeated here.

If the verification of the above steps is successful, the NF service provider processes the service request, and sends a NF service response message to the SCP at S212.

The SCP executes the API modification, and sends an NF service response message to the NF service consumer at S213.

The following introduces another NF service request and authorization method 300 in conjunction with FIG. 8 . The method 300 is a service request and authorization process in an indirect communication scenario. For example, the method 300 is applied to the indirect communication mode shown in FIG. 5 . As can be seen from FIG. 8, method 300 includes:

S301. The NF service consumer sends an access token acquisition request message to the SCP. The request message may include the CCA of the NF service consumer, and may also include an access token. The access token is received from the service response message before the NF service consumer interacts with the SCP. If the previously received access token has expired, the NF service consumer can include discovery parameters in the request, and the discovery parameters are used to discover the NF service provider.

S302. Execute a service discovery process between the SCP and the NRF.

If there is no available access token stored on the SCP, and the access token is not included in S301, the SCP initiates the access token acquisition process:

S303. The SCP sends an access token acquisition request message to the NRF.

S304. The NRF verifies whether the NF service consumer is authorized.

S305. The NRF sends an access token acquisition response message to the SCP.

It should be understood that S303 to S305 are similar to S205 to S207 in the method 200 and will not be repeated here.

It should be noted that, if what S303 requests is not an access token for a specific NF service provider, then S302 can be at any time between steps S303 and S306.

If the SCP stores an available access token, or the access token is included in S301, the SCP skips S303 to S305, and directly executes the service request process to the NF service provider. Exemplarily:

S306, the SCP sends an NF service request message to the NF service provider.

S307. The NF service provider verifies whether the NF service consumer is authorized.

S308. The NF service provider sends an NF service response message to the SCP.

S309, the SCP sends an NF service response message to the NF service consumer.

It should be understood that S306 to S309 are similar to S210 to S213 in the method 200 and will not be repeated here.

In the above method 100 to method 300, any NF in the NF set can request an access token for the NF set to request services, and other NFs in the NF set can use the access token requested by the NF to Request service. However, malicious NF service consumers can obtain access tokens of other NF sets through eavesdropping, etc., and use the access token beyond authority or illegally to obtain services.

In view of this, this application provides an authorization verification method, which can prevent malicious NF consumers from overreaching or illegally using access tokens to obtain services.

FIG. 9 shows an exemplary flowchart of a method 400 for authorization verification provided by the embodiment of the present application. Method 400 includes:

S401. The first network element receives a service request message.

The service request message is associated with the second network element. For example, in the direct communication scenario, the first network element receives the service request message from the second network element; in the indirect communication scenario, the first network element receives the service request message from the service communication agent network element, wherein the service communication The proxy network element may receive the service request message directly from the second network element, or may receive the service request message from the second network element through one or more service communication proxy network elements. That is to say, in the indirect communication scenario, the first network element can communicate with the second network element through one or more service communication network elements.

The first network element may be a service providing network element, and the second network element may be a service requesting network element.

The service request message is used to request the first network element to provide the first service to the second network element, and the service request message includes an access token, and the access token includes an identifier of the first NF set, that is, the access token and the The identifier of the first NF set is associated, or in other words, the access token is used for the NF request service in the first NF set, and the identifier of the first NF set is used to indicate the service requesting network element to which the access token is applicable, That is, the first NF set corresponds to the service requesting network element.

It should be understood that the access token is protected, so a malicious NF cannot tamper with the information in the access token. The security protection of the access token may be performed by the network element (for example, the third network element) that distributes the access token. For example, the third network element uses the shared key to generate an integrity protection parameter (such as a message authentication code MAC) for the access token (or a parameter in the access token), and the second network element carries the integrity protection parameter in the service request message. sexual protection parameters. The first network element may verify whether the information in the access token has been tampered with according to the integrity protection parameter. For another example, the third network element uses the private key to sign the information in the security token, and after the first network element obtains the access token from the service request message, it determines whether the information in the access token is verified by verifying the signature. tamper.

Optionally, the access token may also include an identifier of a fourth network element that belongs to the first NF set, and the identifier of the fourth network element is used to indicate that the access token is issued by the fourth network element. Obtained by meta request. After the first network element obtains the identifier of the fourth network element from the service request message, it determines that the identifier of the second network element matches the identifier of the fourth network element. If it does not match, it means that the second network element is different from the fourth network element, or that the access token is not obtained by the request of the second network element, then further:

S402. The first network element determines whether to authorize the second network element to use the first service according to the identifier of the first NF set.

That is to say, before the first network element determines whether to authorize the second network element to use the first service according to the identifier of the first NF set, optionally, the first network element determines the identity of the first network element and the fourth network element IDs are different. It should be noted that, if the identifier of the first network element is the same as the identifier of the fourth network element, the verification process of step S402 may be skipped. It should be noted that the first network element determines whether to authorize the second network to use the first service according to the identifier of the first NF set. It can also be understood that, according to the identifier of the first NF set, the first network element, Determining whether the second network element is authorized to use the first service, or it can also be understood that the first network element determines to provide the first service to the second network element or refuse to provide the first service to the second network element according to the identifier of the first NF set. The first service, or it can also be understood that the first network element provides the requested first service (or executes the first service) according to the identifier of the first NF set and sends a response message, or sends a response indicating that the service request is rejected message; or it can also be understood that, according to the identifier of the first NF set, the first network element provides the requested first service (or executes the first service) and sends a response message, or sends a response message that the service request fails.

The specific manifestation of the first network element determining whether to authorize the second network element to use the first service may be: when the second network element is authorized to use the first service, the first network element providing the first service to the second network element; or, if the second network element is not authorized to use the first service, the first network element rejects the service request message to reject The first service requested by the second network element.

Exemplarily, the first network element determines whether the second network element belongs to the first NF set indicated by the identifier of the first NF set, for example, the first network element acquires the identifier of the first NF set according to the access token, Then, according to the identifier of the first NF set, it is judged whether the second network element belongs to the first NF set, and if the second network element does not belong to the first NF set, the first network element refuses to send to the second network element The first service is provided.

It should be understood that, in the case that the second network element does not belong to the first NF set, the first network element determines that the second network element is not authorized to use the access token, thereby refusing to provide the second network element with the access token. First service.

In a possible implementation manner, the first network element determines whether the second network element belongs to the first NF set (or the NF set indicated by the identifier of the first NF set) according to the configuration information and the identifier of the second network element, and then When the second network element does not belong to the first NF set, the first network element refuses to provide the first service to the second network element; when the second network element belongs to the first NF set and the access token is verified, The first network element authorizes the second network element to use the first service.

Exemplarily, the first network element pre-stores the configuration information of the NF consumer, and the configuration information includes the identifier of the first NF set and/or the identifier of the NF set to which the second network element belongs (denoted as the identifier of the second NF set ). After the first network element receives the service request message, the first network element judges whether the second network element belongs to the first NF set according to the locally stored configuration information. Specifically, for example, in a direct communication scenario, the first network element obtains the identity of the second network element from the certificate information of the second network element, and then determines the identity of the second network element according to the identity and configuration information of the second network element. The identifier of the corresponding second NF set, if the second network element does not have a corresponding NF set, or the identifier of the second NF set is different from the identifier of the first NF set, then the first network element determines that the second network element does not belong to the first NF set An NF set, otherwise the first network element determines that the data of the second network element belongs to the first NF set. It should be understood that in the direct communication scenario, the first network element and the second network element will establish a secure connection before communicating, and the second network element will send its own certificate information to the first network element, so that the first network element can access the Obtain the identifier of the second network element from the certificate information. For another example, the first network element determines the identities of all NFs corresponding to the first NF set according to the identities and configuration information of the first NF set, and when these identities include the identities of the second NF, the first network element determines the The element belongs to the first NF set, otherwise the first network element determines that the second network element does not belong to the first NF set. In the indirect communication scenario, the service request message also includes the CCA of the second network element, and the CCA includes the identifier of the second network element, and the first network element can acquire the identifier of the second network element from the CCA. The subsequent verification process is similar to the direct communication scenario, and will not be repeated here. When the second network element does not belong to the first NF set, the first network element refuses to provide the first service to the second network element; when the second network element belongs to the first NF set and the access token is verified and passed , the first network element authorizes the second network element to use the first service. For another example, in a direct communication scenario, the first network element obtains the identifier of the second network element from the service request, that is, the second network element carries the identifier of the second network element in the service request message, and when the service request message contains When the carried identifier of the second network element is the same as the identifier in the certificate information of the second network element, the first network element determines the second network element according to the identifier of the second network element (or the identifier in the certificate) and configuration information. The identity of the NF set corresponding to the identity of the element (denoted as the identity of the second NF set), if the second network element does not have a corresponding NF set, or the identity of the second NF set is different from the identity of the first NF set, the first NF set A network element determines that the second network element does not belong to the first NF set; otherwise, the first network element determines that the second network element belongs to the first NF set. It should be understood that in the direct communication scenario, a secure connection will be established before the communication between the first network element and the second network element, and the second network element will send its own certificate information to the first network element during the establishment of the secure connection, so that the second network element A network element can obtain the identity of the second network element from the certificate information.

The specific manifestation of the first network element's refusal to provide the first service to the second network element may be: the first network element sends a service response message to the second network element, and the service response message is used to indicate the refusal to provide the first service For the first service, optionally, the service response message further includes a reason for rejection, for example, the reason for rejection may be that the access token verification fails.

In another possible implementation manner, the first network element requests the third network element to verify whether the second network element belongs to the first NF set. Exemplarily, the first network element sends a first verification request message to the third network element, the first verification request message includes the identifier of the second network element and the identifier of the first NF set, and the first verification request message is used for Request to verify whether the second network element belongs to the first NF set (or the NF set indicated by the identifier of the first NF set), or in other words, the first verification request message is used to request to verify whether the identifier of the second network element is consistent with the first NF set The identity of an NF set corresponds, or in other words, the first verification request message is used to request to verify whether the identity of the NF set to which the second network element belongs matches the identity of the first NF set. The third network element here may be a network storage function network element, for example, in a 5G system, the third network element may be an NRF. After the third network element receives the first verification request message, it obtains the NF consumer configuration information associated with the second network element's identifier according to the second network element's identifier, and uses the configuration information to determine the corresponding The identity of the NF set (denoted as the identity of the second NF set). If there is no identity of the NF set corresponding to the identity of the second network element in the configuration information, or the identity of the second NF set is different from the identity of the first NF set, the third network element determines that the second network element does not belong to the first NF set. NF set, otherwise the third network element determines that the second network element belongs to the first NF set; or, the third network element determines the NF consumer configuration information corresponding to the identity of the first NF set according to the identity of the first NF set, and according to the The configuration information determines the identities of all NFs corresponding to the first NF set. When these identities include the identity of the second NF, the third network element determines that the second network element belongs to the first NF set; otherwise, the third network element determines that the second NF The network element does not belong to the first NF set. Further, the third network element sends indication information to the first network element, the indication information is used to indicate whether the second network element belongs to the first NF set, or the indication information is used to indicate whether the identifier of the second network element is consistent with the first NF set The identity of an NF set corresponds, or the indication information is used to indicate whether the identity of the second NF set matches the identity of the first NF set. Correspondingly, the first network element receives the indication information from the third network element, and determines whether the second network element belongs to the first NF set according to the indication information. When the second network element does not belong to the first NF set, the first network element refuses to provide the first service to the second network element; when the second network element belongs to the first NF set and the access token is verified and passed , the first network element refuses to provide the first service to the second network element.

In yet another possible implementation, the first network element obtains the identifier of the NF set corresponding to the second network element through the third network element, and verifies whether the second network element belongs to the First NF set. Exemplarily, the first network element sends a second verification request message to the third network element, the second verification request message includes the identifier of the second network element, and the second verification request message is used to request to obtain the identifier of the second network element The identifier of the corresponding NF set (denoted as the identifier of the second NF set). Correspondingly, after receiving the second verification request message, the third network element obtains configuration information of the NF consumer associated with the identifier of the second network element according to the identifier of the second network element, and determines the identifier of the second NF set through the configuration information. If there is no identifier of the NF set corresponding to the identifier of the second network element in the configuration information, the third network element sends indication information to the first network element, where the indication information is used to instruct the second network element to acquire the identifier of the NF set If it fails, the first network element determines that the second network element is not authorized to use the access token according to the indication information. If there is an identifier of the second NF set in the configuration information, the third network element sends the identifier of the second NF set to the first network element. Correspondingly, the first network element receives the identifier of the second NF set, and judges whether the identifier of the second NF set matches the identifier of the first NF set, and if they match, the first network element determines that the second network element belongs to the first NF set, otherwise the first network element determines that the second network element does not belong to the first NF set. In the case that the second network element does not belong to the first NF set, the first network element refuses to provide the first service to the second network element; in the case that the second network element belongs to the first NF set and the access token is verified In this case, the first network element refuses to provide the first service to the second network element.

In yet another possible implementation manner, the first network element obtains the identifiers of all NFs in the first NF set through the third network element, and verifies whether the second network element belongs to the first NF set according to the NF identifiers in the first NF set. Exemplarily, the first network element sends a third verification request message to the third network element, the third verification request message includes the identifier of the first NF set, and the third verification request message is used to request to obtain all NF identification. Correspondingly, after receiving the third verification request message, the third network element obtains the NF consumer configuration information of the first NF set according to the hours of the first NF set, obtains the identifiers of all NFs in the first NF set through the configuration information, and then The third network element sends the identifiers of these NFs to the first network element, and the first network element determines whether the second network element belongs to the first NF set according to the identifiers of all NFs in the first NF set. If the identifier of the NF in the first NF set includes the identifier of the second NF, the first network element determines that the second network element belongs to the first NF set; otherwise, the first network element determines that the second network element does not belong to the first NF set. When the second network element does not belong to the first NF set, the first network element refuses to provide the first service to the second network element; when the second network element belongs to the first NF set and the access token is verified and passed , the first network element authorizes the second network element to use the first service.

It should be noted that, in the case that the second network element belongs to the first NF set, other verification conditions in the access token (for example, other parameters carried in the access token) need to be further verified. In this case, the first network element authorizes the second network element to use the first service. Exemplarily, other verification conditions in the access token include one or more of the following: the service provider's NF instance identifier, the service provider's NF type, the service provider's single network slice selection auxiliary information, the service provider's The identifier of the network slice instance, the identifier of the NF set to which the service provider belongs, the desired service name, and the valid time of the access token. For example: the first network element verifies whether the NF instance identifier or NF type in the access token matches its own identifier or type; if the access token includes single network slice selection assistance information (single network slice selection assistance information, S-NSSAIs ) or network slice instances IDs (network slice instances IDs, NSI IDs), the first network element verifies whether the corresponding slice can be served; if the access token includes the NF set identifier of the service provider, the first network element verifies the Whether the NF set ID matches its own NF set ID, or the first network element verifies whether it belongs to the NF set indicated by the NF set ID; if the access token includes the expected service name, then the first network element verifies whether matching the requested service operation; if the access token includes additional scope information, the first network element verifies whether the included additional scope matches the requested operation; otherwise, the first network element verifies whether the access token is within the valid time, For example, the first network element compares the expiration time in the access token with the current time to verify whether the access token is expired. Exemplarily, in the case that the verification is passed, the expression form of the first network element authorizing the second network element to use the first service includes: when all parameters pass the verification, the first network element provides the requested first service to the second network element. service (or the first network element executes the first service), and sends a response message indicating to provide the first service.

This application does not limit the order in which the first network element verifies the identity of the first NF set and verifies other verification conditions. Preferably, the identity of the first NF set can be verified first, and then other verification conditions can be verified. In this way, when the verification of the identity of the first NF set fails, other verification conditions need not be verified, thereby saving resources.

Optionally, when the first network element determines that the second network element belongs to the first NF set, the first network element saves the association between the identity of the second network element and the identity of the first NF set, so that the second network element can reuse When the access token requests a service, the first network element may directly use the locally stored association relationship to determine that the second network element is authorized to use the access token corresponding to the identifier of the first NF set.

Therefore, in the authorization verification method provided by the embodiment of the present application, in the process of the second network element requesting a service from the first network element, by verifying whether the second network element belongs to the NF set corresponding to the access token carried in the request message , to determine whether the NF service consumer is authorized to use the access token carried in the request message, thereby preventing malicious NF service consumers from using the access token to obtain services beyond their authority.

FIG. 10 shows an exemplary flow chart of a method 500 provided by an embodiment of the present application. Method 500 includes:

S501. The NRF saves the NFc configuration information.

Exemplarily, configure NFc configuration information to NRF, where NFc refers to NF service consumers in NF set (NF set) A, including a plurality of NF service consumers in this NF set A, for example, NFc1, NFc2, ..., NFcx, x is an integer greater than or equal to 2. The configuration information of the NFc includes the NFc instance identifier and the identifier of the NF set A (denoted as NF set A ID, or NF set A ID).

S502. NFc1 sends an access token acquisition request message to NRF.

Exemplarily, when NFc1 determines to obtain an access token (access token) for the NF service consumer in NF set A, it sends an access token acquisition request (Nnrf_accesstoken_Get Request) message to NRF. For example, when NFc1 wants to request a service and there is no Access Token available locally, NFc1 sends an access token acquisition request to NRF to request for an access token. Among them, NFc1 is any NF service requester in NF set A. The access token here is used for the NF service consumer to request services from the NF service provider, and the NF service provider can perform an authorization check on the NF service consumer according to the access token.

In a possible implementation, NFc1 may request the Access Token for accessing the service of the NF service provider of NF type. That is, NFc1 sends an access token acquisition request to NRF, and the access token acquisition request message is used to request an NF type access token from NRF. The access token request message includes NF instance Id of NFc1, NF set A ID, desired service name, NF type of NFc1 and NF type of NF service provider. Optionally, the access token acquisition request message may also include an additional scope (that is, the requested resource and the requested operation on the resource), the S-NSSAI list or NSI ID list of the desired NF service provider instance, the desired NF Set ID of NF service provider instance, S-NSSAI list of NF service consumer, etc.

In another possible implementation manner, NFc1 may request an access token for accessing a specific NF service provider instance or a service of an NF service provider service instance. At this time, the access token acquisition request message includes the NF instance Id of NFc1, NF set A ID, and the expected service name. Optionally, the access token acquisition request message may also include an additional scope (that is, the requested resource and the requested operation on the resource) and the like.

In a possible implementation manner, the NF Set A ID in the access token request message in the above implementation manner may be replaced with indication information, and the indication information is used to indicate that an access token is requested for the NF set set to which the NFc belongs.

S503. The NRF verifies whether the NFc1 is authorized.

Exemplarily, the NRF verifies whether the parameters (such as NF type) in the access token acquisition request match the parameters in the NF service consumer's public key certificate or NFc configuration information. If the access token acquisition request message includes NF set A ID, NRF verifies whether NF set A ID matches NFc1’s public key certificate or NF set ID in NFc configuration information, that is, verifies whether NFc1 is authorized to request NF set A The access token of the ID. Further, NRF checks whether NFc1 is authorized to access the requested service.

S504, when the NFc1 authorization verification passes, the NRF generates an access token.

Exemplarily, when the parameters in the access token acquisition request (including NF set A ID) match the NF set ID in the public key certificate of NFc1 or NFc configuration information, and NFc1 has the right to request the access token of NF set A ID , the NRF generates an access token that includes claims.

When NFc1 requests to access the access token of the service of the NF service provider of NF type, the claims include the NF instance Id of NRF, the NF instance Id of NFc1, the NF set A ID, the NF type of the NF service provider, and the expected The service name, expiration time. Optionally, the claims may also include additional scopes (allowing the requested resource and the requested operation on the resource), the S-NSSAI list or NSI ID list of the desired NF service provider instance, the desired NF service provider instance NF Set B ID etc.

In the case where NFc1 requests an access token to access a specific NF service provider instance or a service of a NF service provider service instance, the claims include NF instance Id of NRF, NF instance #1 of NFc1, NF set A ID, NF service Provider's NF instance ID#3, desired service name, expiration time. Optionally, the claims may also include an additional scope (allowing the requested resource and the requested operation on the resource) and the like.

NRF uses the shared secret key to generate the MAC value of the access token, or NRF uses the private key to sign the generated claims.

In another possible implementation manner, the claims in the above access token may not contain the NF instance ID of NFc1.

If the token request message contains indication information, the NRF determines the NF set to which NFc1 belongs according to the certificate information or configuration information, and includes the NF set identifier corresponding to the NF set in the access token.

S505. The NRF sends an access token acquisition response message to the NFc1.

Exemplarily, after the NRF generates the access token, it sends an access token acquisition response (Nnrf_accesstoken_Get Response) message to the NFc1, and the access token acquisition response message includes the access token. Optionally, the access token acquisition response message also includes an expiration time of the access token.

Through the above technical solution, by verifying whether the NF service consumer requesting the access token is authorized in the direct communication scenario, malicious NF service consumers can be prevented from requesting the access token beyond their authority.

FIG. 11 shows an exemplary flow chart of a method 600 provided by an embodiment of the present application. In method 600, the service consumer does not directly communicate with the NRF network element, and the SCP network element communicates with the NRF network element on behalf of the service consumer. Method 600 includes:

S601. The NRF saves the NFc configuration information.

It should be understood that S601 is similar to S501 in method 500, and will not be repeated here.

S602. The NFc1 sends an access token request message to the SCP.

Exemplarily, when NFc1 determines to obtain an access token (access token) for the NF service consumer in NF set A, it sends an access token acquisition request (Nnrf_accesstoken_Get Request) message to NRF.

In a possible implementation, NFc1 may request the Access Token for accessing the service of the NF service provider of NF type. At this time, the access token request message includes NF instance Id of NFc1, NF set A ID, desired service name, NF type of NFc1 and NF type of NF service provider. The access token request message also includes a client credential statement (CCA, the CCA includes the NF instance ID, timestamp and expiration time, and NF type of NFc1. Optionally, the access token acquisition request message may also include an additional Scope (i.e. the requested resource and the requested operation on the resource), the S-NSSAI list or NSI ID list of the desired NF service provider instance, the NF Set ID of the desired NF service provider instance, the S of the NF service consumer -NSSAI list etc.

In another possible implementation manner, NFc1 may request an access token for accessing a specific NF service provider instance or a service of an NF service provider service instance. At this time, the access token acquisition request message includes the NF instance Id of NFc1, NF set A ID, and the expected service name. The access token request message also includes CCA, and the CCA includes the NF instance ID of NFc1, timestamp and expiration time, and NF type. Optionally, the access token acquisition request message may also include an additional scope (that is, the requested resource and the requested operation on the resource) and the like.

S603. The SCP sends an access token acquisition request message to the NRF.

It should be understood that the access token acquisition request message is the same as the request message in S702, or in other words, the access token request message includes the parameters carried in the request message in S702.

S604. The NRF verifies whether the NFc1 is authorized.

Exemplarily, if the access token acquisition request message includes the CCA, the NRF verifies the NFc1 according to the CCA. If the CCA verification is passed, the NRF verifies whether the parameters in the access token acquisition request (such as NF type) match the parameters in the NF service consumer's public key certificate or NFc configuration information. If the access token acquisition request message includes NF set A ID, NRF verifies whether NF set A ID matches NFc1’s public key certificate or NF set ID in NFc configuration information, that is, verifies whether NFc1 is authorized to request NF set A The access token of the ID. Further, NRF checks whether NFc1 is authorized to access the requested service.

If the token request message includes indication information, the NRF determines the NF set to which the NFc1 belongs according to the certificate information or configuration information, and includes the NF set identifier corresponding to the NF set in the access token.

S605. When the NFc1 authorization verification succeeds, the NRF generates an access token.

It should be understood that S605 is similar to S504 in the method 500, and for the sake of brevity, repeated description is omitted.

S606. The NRF sends an access token acquisition response message to the SCP.

Exemplarily, after the NRF generates the access token, it sends an access token obtaining response (Nnrf_accesstoken_Get Response) message to the SCP, and the access token obtaining response message includes the access token generated by the NRF at S705. Optionally, the access token acquisition response message also includes an expiration time of the access token.

S607, the SCP sends the access token acquisition response message to the NFc1.

Through the above technical solution, by verifying whether the NF service consumer requesting the access token is authorized in the indirect communication scenario, malicious NF service consumers can be prevented from requesting the access token beyond their authority.

Fig. 12 shows an exemplary flow chart of a method 700 provided by an embodiment of the present application. Method 700 may be implemented in conjunction with method 500 , for example, method 700 may be implemented after method 500 . The method 700 can also be implemented independently, which is not limited in this application. Method 700 includes:

S701, NFc2 sends an NF service request message to NFp. Correspondingly, NFp receives the NF service request from NFc2.

Exemplarily, when NFc2 needs to obtain the service of the service provider NFp authorized by the access token access token, NFc2 sends the NF service request message to NFp, and the service request message includes the access token access token. Among them, the access token is used for any NF service consumer in NF set A to request services, and the access token is associated with the identity of the NF set A (associated with the NF set A ID). Therefore, the access token has not expired At any time, any NF service consumer in NF set A can use the access token to request the NFp service authorized by the access token.

The access token includes claims.

In the case where NFc2 requests to access the access token of the service of the NF service provider of NF type, the claims include the NF instance ID of NRF, the NF instance ID#1 of NFc1, NF set A ID, and the NF type of the NF service provider B. Expected service name and expiration time. It should be understood that NFc1 is the NF service consumer requesting the access token, or that the access token is obtained by NFc1 from the NRF request. Optionally, the claims may also include additional scopes (allowing the requested resource and the requested operation on the resource), the S-NSSAI list or NSI ID list of the desired NF service provider instance, the desired NF service provider instance NF Set B ID etc.

In the case of NFc2 requesting access to a specific NF service provider instance or an access token for a service of a NF service provider service instance, the claims include NF instance ID of NRF, NF instance ID#1 of NFc1, NF set A ID, NF NF instance ID#3 of the service provider, desired service name, and expiration time. Optionally, the claims may also include an additional scope (allowing the requested resource and the requested operation on the resource) and the like.

It should be understood that the access token is integrity protected. For example, after NRF generates the access token, it uses the shared key to generate the MAC value of the access token, or NRF uses the private key to sign the generated claims.

It should be noted that, in the case where method 700 is implemented after method 500, the NRF in method 700 and the NRF in method 500 may be the same or different, that is, the NRF for generating and distributing access tokens is the same as the NRF for verification in method 700 The NRF may be different network elements, which is not limited in this application.

S702. The NFp verifies the integrity of the access token.

Exemplarily, when the NFp receives the NF service request message, if the message contains the access token, it performs integrity verification on the access token. For example, NFp obtains the public key or shared key for verifying integrity (that is, the shared key between NRF and NF service provider) according to the NRF instance ID in the access token, and uses the public key to verify the signature or use the shared key Verify the MAC value.

If the integrity check is successful, further optionally, at S703, the NFp determines whether the NF instance ID #1 in the security token access token is the same as the NF instance ID #2 of the NFc2.

Exemplarily, NFp obtains the NF instance ID #1 of NFc1 from the access token, obtains the NF instance ID #2 of NFc2 from the NF consumer certificate (NFc certificate), and then judges the NF instance ID #1 and the NF instance ID #2 Is it the same. Or, NFp obtains the NF instance ID #1 of NFc1 from the access token, obtains the NF instance ID #2 of NFc2 from the NF service request message, and then judges whether the NF instance ID #1 is the same as the NF instance ID #2.

In a possible situation, if the NF instance ID#1 is different from the NF instance ID#2, it means that NFc2 is not the same as NFc1, or that the access token is not requested by NFc2. At this time, NFp further determines whether the access token includes the identification of the NF set of the NF service requester. If the access token includes the identity of the NF set of the NF service requester (such as the NF set A ID in the embodiment of the present application), then NFp further verifies whether NFc2 has the right to use the access token corresponding to the NF set A ID.

If the access token does not include the NF instance ID#1, step 703 may not be executed, and the subsequent verification process may be directly performed.

In a possible implementation (denoted as scheme 1), NFp determines whether NFc2 belongs to NF set A according to the local configuration information, or NFp determines whether NFc2 has the right to use the access corresponding to the NF set A ID according to the local configuration information token, exemplary:

If the NFp locally saves the NF consumer configuration information, then at S704, the NFp determines whether the NFc2 belongs to the NF set A according to the local configuration information. It should be understood that the NF consumer configuration information includes the association relationship between the NF consumer and the identifier of the NF set. If NFc2 belongs to NF set A, then NFp determines that NFc2 has the right to use the access token corresponding to the NF set A ID.

In another possible implementation (denoted as scheme 2), NFp requests NRF to verify whether NFc2 belongs to NF set A, or in other words, NFp requests NRF to verify whether NFc2 has the right to use the access token corresponding to the NF set A ID. Exemplarily:

S705, NFp sends a verification service consumer request message to NRF, the request message includes NF instance ID#2 and NF set A ID of NFc2, and the verification service consumer request message is used to request verification of whether NFc2 has permission to use NF set A The access token corresponding to the ID, or the verification service consumer request message is used to request verification whether NFc2 corresponds to the NF set A ID, or the verification service consumer request message is used to request verification whether the identity of the NF set to which NFc2 belongs is the same as NF set A ID same.

S706, NRF obtains the corresponding NFc configuration information according to the NF instance ID#2 of NFc2, and verifies whether the configuration information includes the identification of the NF set, and if so, verifies the identification of the NF set in the configuration information (denoted as NF set C ID, or NF set C ID) is the same as NF set A ID, if they are the same, NRF determines that NFc2 has the right to use the access token corresponding to the NF set A ID.

S707, NRF sends a verification service consumer response message to NFp, the message includes a verification result, for example, the message includes indication information, and the indication information is used to indicate that NFc2 has the right to use the access token corresponding to the NF set A ID , or the indication information is used to indicate that NFc2 belongs to NF set A.

In yet another possible implementation (denoted as scheme 3), NFp obtains the identification of the NF set corresponding to NF instance ID#2 (denoted as NF set C ID) or the IDs of all NFs in NF set A (denoted as NF A ID), verify whether NFc2 has the right to use the access token corresponding to the NF set A ID according to the NF set C ID or NF A ID. Exemplarily:

S708, NFp sends an NF service consumer verification request message to NRF, the NF service consumer verification request message includes NF instance ID#2 of NFc2, and the NF service consumer verification request message is used to request to acquire the NF instance ID#2 The identification of the corresponding NF set; or, the NF service consumer verification request message includes the NF set A ID, and the NF service consumer verification request message is used to request to obtain all NF A IDs corresponding to the NF set A ID.

S709. The NRF obtains the NF set C ID according to the NF instance ID#2, or the NRF obtains all the NF A IDs according to the NF set A ID.

Exemplarily, after the NRF receives the NF service consumer verification request message, it obtains the corresponding NFc configuration information according to the NF instance ID#2 of NFc2, and determines the NF set C ID according to the configuration information, and the NF set C ID is the NF instance ID The identification of the NF set corresponding to #2; or, after receiving the NF service consumer verification request message, the NRF obtains the corresponding NFc configuration information according to the NF set A ID, and determines all the NF A IDs according to the configuration information.

S710. The NRF sends an NF service consumer verification response message to the NFp, where the response message includes the NF set C ID or all NF A IDs.

S711. NFp verifies whether NFc2 belongs to NF set A according to the NF service consumer verification response message.

Exemplarily, if the NF service consumer verification response message includes NF set C ID, then NFp verifies whether the NF set C ID matches the NF set A ID, and if they match, NFp determines that NFc2 belongs to NF set A, so NFc2 has The right to use the access token corresponding to the NF set A ID.

If the NF service consumer verification response message includes multiple NF A IDs, NFp verifies whether the NF instance ID#2 of NFc2 belongs to the multiple NF A IDs, and if so, NFp determines that NFc2 belongs to NF set A, so NFc2 Have the right to use the access token corresponding to the NF set A ID.

What needs to be explained here is that if the NF instance ID#2 of the NF service requester is not included in the access token, S703 may not be executed, and any method in Scheme 1 to Scheme 3 may be used to directly verify whether NFc2 has the right to use the NF set The access token corresponding to the A ID.

Through the above scheme, if NFp determines that NFc has the right to use the access token corresponding to the NF set A ID, then optionally, at S712, NFp stores NF instance ID#2 and NF set A ID of NFc2 (or saves NF Instance ID#2 and NF set A ID), this information is used in the subsequent verification process, for example, when NFc2 requests service from the NFp again through the access token corresponding to the NF set A ID, NFp can according to the local The saved association between NF instance ID#2 and NF set A ID determines that NFc2 has the right to use the access token corresponding to the NF set A ID, so as to avoid subsequent cumbersome verification process and save signaling overhead.

In another possible situation, if the NF instance ID #1 is the same as the NF instance ID #2, it means that NFc2 is the same as NFc1, or that the access token is obtained by NFc2 request, so NFc2 has the right to use the access token request Serve. At this time, even if the access token includes the NF set A ID, there is no need to verify whether NFc2 has the right to use the access token corresponding to the NF set A ID, or it is not necessary to verify whether NFc2 belongs to NF Set A or skip NF set A ID verification process (or any one of the above schemes 1 to 3 can be used for verification, which is not limited in this application). NFp can further verify the parameters in the claims. The specific method is similar to that described above and will not be repeated here.

After NFp determines that NFc2 has the right to use the access token, further, NFp verifies the parameters in claims, for example:

NFp verifies that the NF instance ID#3 or NF type B in the claims matches its own ID or type;

If claims include S-NSSAIs or NSI IDs, NFp verifies whether the corresponding slice can be served;

If the claims include NF Set B ID, then NFp verifies whether the NF set B ID in the claims matches its own NF Set ID, or NFp verifies whether it belongs to the NF set B corresponding to the NF Set B ID;

If the service service name is included in the claims, NFp verifies whether it matches the requested service operation;

If claims include additional range information, NFp verifies whether the included additional range matches the requested operation;

Otherwise, NFp verifies whether the access token is within the valid time, for example, NFp compares the expiration time in the access token with the current time to verify whether the access token is expired.

This application does not limit the order in which NFp verifies NF set A ID and verifies other parameters in claims. Preferably, the NF set A ID can be verified first, and then other parameters in the claims can be verified, so that when the verification of the NF set A ID fails, other parameters in the claims can be saved, thereby saving resources.

This application does not limit the order of verifying the parameters in the claim. S713. The NFp sends an NF service response message to the NFc2.

Exemplarily, when the above verification processes all pass, NFp determines that NFc2 has the right to request the service, then NFp processes the NF service request of NFc2, and sends an NF service response message to the NF service consumer. If any one of the above verification processes fails, the NFp sends an NF service response to the NFc2, where the NF service response is used to reject the NF service request.

Exemplarily, when the above verification processes all pass, the NFp provides the requested service (or executes the requested service) to the NFc2, and sends a service response message.

Therefore, the authorization verification method provided by the embodiment of the present application determines whether the NF service consumer belongs to the NF set corresponding to the access token carried in the request message by verifying whether the NF service consumer is in the process of requesting the service. Whether the consumer is authorized to use the access token carried in the request message, thereby preventing malicious NF service consumers from using the access token to obtain services beyond their authority.

Fig. 13 shows an exemplary flow chart of a method 800 provided by an embodiment of the present application. In the method 800, the service consumer does not directly communicate with the NRF network element, and the SCP network element communicates with the NRF network element on behalf of the service consumer. Method 800 may be implemented in conjunction with method 600 , for example, method 800 may be implemented after method 600 . The method 800 may also be implemented independently, which is not limited in this application. Method 800 includes:

S801. The NFc2 sends an NF service request message to the SCP, where the NF service request message includes the access token and the CCA of the NFc2.

S802. The SCP sends the received NF service request message to the NFp.

It should be understood that S801 is similar to S701 in method 700, except that the receiving end in S701 is NFp, the receiving end in S801 is SCP, and the NF service request message in S801 carries the CCA of NFc2, and the CCA includes the NF of NFc2. Instance ID, timestamp and expiration time, NF type. .

It should be noted that in the direct communication scenario, NFp can obtain the NF instance ID of NFc2 directly from the certificate of NFc2 or obtain the NF instance ID of NFc2 from the service request message, while in the indirect communication scenario, NFp needs to obtain the NF instance ID of NFc2 from the CCA Obtain the NF instance ID of NFc2.

It should be understood that S803 to S806 are similar to S702 to S712 in method 700 , wherein step S805 in method 800 may correspond to scheme 1 to scheme 3 in method 700 .

S807. The NFp sends an NF service response message to the SCP.

S808, the SCP sends the received NF service response message to NFc2.

Exemplarily, when the above verification processes pass, NFp determines that NFc2 has the right to request the service, then NFp processes the NF service request of NFc2, and sends an NF service response message to the NF service consumer through the SCP. If any one of the above verification processes fails, the NFp sends an NF service response to the NFc2 through the SCP, and the NF service response is used to reject the NF service request.

The various embodiments described herein may be independent solutions, or may be combined according to internal logic, and these solutions all fall within the protection scope of the present application. For example, method 500 and method 700 can be used in combination, or can be used independently. As another example, the method 600 can be used alone, or combined with the method 800, and so on.

It can be understood that, in the foregoing method embodiments, the methods and operations implemented by network equipment (such as each network element) may also be implemented by components (such as chips or circuits) that can be used in network equipment.

Above, the method provided by the embodiment of the present application is described in detail with reference to FIG. 6 to FIG. 13 . Hereinafter, the device provided by the embodiment of the present application will be described in detail with reference to FIG. 14 to FIG. 15 . It should be understood that the descriptions of the device embodiments correspond to the descriptions of the method embodiments. Therefore, for details that are not described in detail, reference may be made to the method embodiments above. For brevity, details are not repeated here.

Fig. 14 is a schematic block diagram of an apparatus for authorization verification provided by an embodiment of the present application. The device 10 includes a transceiver unit 11 and a processing unit 12 . The transceiver unit 11 can implement a corresponding communication function, and the processing unit 12 is used for data processing. The transceiver unit 11 may also be called a communication interface or a communication unit.

Optionally, the device 10 may also include a storage unit, which may be used to store instructions and/or data, and the processing unit 12 may read the instructions and/or data in the storage unit, so that the communication device implements the aforementioned methods. example.

The device 10 can be used to execute the actions performed by the first network element (or NF service provider) in the method embodiment above, and at this time, the device 10 can be the first network element (or NF service provider/NFp) Alternatively, it can be configured as a component of the first network element. The transceiver unit 11 is used to perform operations related to sending and receiving on the side of the first network element in the above method embodiments, and the processing unit 12 is used to perform operations on the first network element in the above method embodiments. processing related operations.

Alternatively, the device 10 may be used to execute the actions performed by the third network element (or NRF) in the above method embodiments, and at this time, the device 10 may be the third network element or a component that can be configured in the third network element The transceiving unit 11 is configured to perform transceiving-related operations on the third network element side in the above method embodiments, and the processing unit 12 is configured to perform processing-related operations on the third network element side in the above method embodiments.

Alternatively, the device 10 can be used to execute the actions performed by the second network element (or NF service consumer) in the above method embodiments. At this time, the device 10 can be the second network element or can be configured on the second network The transceiving unit 11 is used to perform operations related to the sending and receiving of the second network element in the above method embodiments, and the processing unit 12 is used to perform operations related to processing on the second network element side in the above method embodiments.

As a design, the apparatus 10 is configured to perform actions performed by the first network element in the embodiment shown in FIG. 9 above.

In an implementation manner, the transceiver unit 11 is configured to receive a service request message associated with the second network element, where the service request message is used to request the first service provided by the first network element to the second network element, the The service request message includes an access token, where the access token includes an identifier of a first network function NF set, and the identifier of the first NF set is used to indicate a service requesting network element to which the access token applies;

The processing unit 12 is configured to determine whether to authorize the second network element to use the first service according to the identifier of the first NF set.

As an example, the processing unit 12 is specifically configured to: determine whether the second network element belongs to the first NF set indicated by the identifier of the first NF set; if the second network element does not belong to the first NF set Next, refuse to provide the first service to the second network element.

As yet another example, the transceiving unit 11 is specifically configured to: send a first verification request message to a third network element, where the first verification request message is used to request verification of whether the second network element belongs to the identifier of the first NF set Indicating the first NF set, the first verification request message includes the identifier of the second network element and the identifier of the first NF set; receiving indication information from the third network element;

The processing unit 12 is specifically configured to: determine whether the second network element belongs to the first NF set according to the indication information; if the second network element does not belong to the first NF set, refuse to send The first service is provided.

As yet another example, the transceiving unit 11 is specifically configured to: send a second verification request message to a third network element, where the second verification request message is used to request to acquire the identifier of the NF set to which the second network element belongs, and the second The verification request message includes the identification of the second network element; receiving the identification of the second NF set from the third network element;

The processing unit 12 is specifically configured to: refuse to provide the first service to the second network element when the identifier of the second NF set is different from the identifier of the first NF set.

As another example, the transceiving unit 11 is specifically configured to: the first network element sends a third verification request message to a third network element, and the third verification request message is used to request to obtain the information indicated by the identifier of the first NF set. An identifier of an NF included in the first NF set, where the third verification request message includes an identifier of the first NF set; receiving an identifier of the NF included in the first NF set from the third network element;

The processing unit 12 is specifically configured to: refuse to provide the first service to the second network element when the identifiers of the NFs included in the first NF set do not include the identifier of the second network element.

As another example, the processing unit 12 is specifically configured to: the first network element determines whether the second network element belongs to the first NF set according to the configuration information and the identifier of the second network element, where the configuration information includes the second network element An identifier of an NF in the NF set and/or an identifier of the NF set to which the second network element belongs.

As another example, the transceiving unit 11 is further configured to: acquire the identity of the second network element from the certificate of the second network element; or receive the client certificate statement of the second network element from the service communication agent network element The CCA, wherein the CCA includes the identifier of the second network element; or, the identifier of the second network element is acquired from the service request message.

As another example, the access token further includes an identifier of a fourth network element, the fourth network element belongs to the first NF set indicated by the identifier of the first NF set, and the identifier of the fourth network element is used to indicate the The access token is obtained by the request of the fourth network element;

As yet another example, the processing unit 12 is further configured to: determine that the identifier of the first network element is different from the identifier of the fourth network element.

As yet another example, the processing unit 12 is further configured to: save the identifier of the second network element and the first NF set that identifies the indicated first NF set when it is determined that the second network element belongs to the first NF set An association relation of the identities of an NF set.

As yet another example, the third network element is a network storage function network element.

The device 10 can implement steps or processes corresponding to the execution of NFp in the method 700 to the method 800 according to the embodiment of the present application, and the device 10 can include a method for executing the NFp in the method 700 in FIG. 10 to the method 800 in FIG. 13 The unit of method to execute. Moreover, each unit in the device 10 and the above-mentioned other operations and/or functions are for realizing the corresponding processes of the method 700 to the method 800 respectively.

Wherein, when the device 10 is used to execute the method 700 in FIG. S702, S703, S704, S711, S712.

When the device 10 is used to execute the method 800 in FIG. 13 , the transceiver unit 11 can be used to execute steps S802 and S807 in the method 800, and the processing unit 12 can be used to execute any step in the steps S803-S806 in the method 800.

It should be understood that the specific process for each unit to perform the above corresponding steps has been described in detail in the above method embodiments, and for the sake of brevity, details are not repeated here.

The device 10 can implement the steps or processes corresponding to the NRF execution in the method 500 to the method 800 according to the embodiment of the present application, and the device 10 can include an NRF for executing the method 500 in FIG. 10 to the method 700 in FIG. 12 The unit of method to execute. Moreover, each unit in the apparatus 10 and the above-mentioned other operations and/or functions are for realizing the corresponding processes of the method 500 to the method 800 respectively.

Wherein, when the device 10 is used to execute the method 500 in FIG. 10 , the transceiver unit 11 can be used to execute steps S502 and S505 in the method 500 , and the processing unit 12 can be used to instruct steps S501 , S503 and S504 in the method 500 .

When the device 10 is used to execute the method 600 in FIG. 11 , the transceiver unit 11 can be used to execute steps S603 and S606 in the method 600, and the processing unit 12 can be used to execute any step in the steps S601, S604, and S605 in the method 600.

When the device 10 is used to execute the method 700 in FIG. 12 , the transceiver unit 11 can be used to execute steps S703 and S709 in the method 700, and the processing unit 12 can be used to execute any of the steps S705, S707, S708, and S710 in the method 700. step.

As shown in FIG. 15 , the embodiment of the present application also provides an authentication and authorization device 20 . The device 20 includes a processor 21, the processor 21 is coupled with a memory 22, the memory 22 is used for storing computer programs or instructions and/or data, and the processor 21 is used for executing the computer programs or instructions and/or data stored in the memory 22, so that The methods in the above method embodiments are performed.

Optionally, the device 20 includes one or more processors 21 .

Optionally, as shown in FIG. 14 , the device 20 may further include a memory 22 .

Optionally, the device 20 may include one or more memories 22 .

Optionally, the memory 22 can be integrated with the processor 21, or set separately.

Optionally, as shown in FIG. 14 , the device 20 may further include a transceiver 23 for receiving and/or sending signals. For example, the processor 21 is used to control the transceiver 23 to receive and/or send signals.

As a solution, the device 20 is configured to implement the operations performed by the first network element or the NF service provider (NFp) in the above method embodiments.

For example, the processor 21 is used to implement the processing-related operations performed by the first network element or NF service provider (NFp) in the above method embodiments, and the transceiver 23 is used to implement the processing related operations performed by the first network element in the above method embodiments. Transceiver-related operations performed by elements or NF service providers (NFp).

As another solution, the device 20 is configured to implement the operations performed by the third network element or NRF in the above method embodiments.

For example, the processor 21 is used to implement the processing-related operations performed by the third network element or NRF in the above method embodiments, and the transceiver 23 is used to implement the transceiving operations performed by the third network element or NRF in the above method embodiments related operations.

As yet another solution, the device 20 is configured to implement the operations performed by the second network element or NF service consumer (NFc) in the above method embodiments.

For example, the processor 21 is used to implement the processing-related operations performed by the second network element or NF service consumer (NFc) in the above method embodiments, and the transceiver 23 is used to implement the processing related operations performed by the second network element in the above method embodiments. Transceiver-related operations performed by elements or NF service consumers (NFc).

It should be understood that the specific process of each module performing the above corresponding steps has been described in detail in the above method embodiments, and for the sake of brevity, details are not repeated here.

The embodiment of the present application also provides a processing device, including a processor and an interface; the processor is configured to execute the method in any one of the above method embodiments.

It should be understood that the above processing device may be one or more chips. For example, the processing device may be a field programmable gate array (field programmable gate array, FPGA), an application specific integrated circuit (ASIC), or a system chip (system on chip, SoC). It can be a central processor unit (CPU), a network processor (network processor, NP), a digital signal processing circuit (digital signal processor, DSP), or a microcontroller (micro controller unit) , MCU), can also be a programmable controller (programmable logic device, PLD) or other integrated chips.

The embodiment of the present application also provides a computer-readable storage medium, on which is stored the first network element (NF service provider) or the second network element (NF service consumer) or the third Computer instructions of a method performed by a network element (NRF).

For example, when the computer program is executed by a computer, the computer can implement the method described above by the first network element (NF service provider) or the second network element (NF service consumer) or the third network element (NRF). method of execution.

The embodiment of the present application also provides a computer program product containing instructions. When the instructions are executed by a computer, the computer implements the method performed by a network element (or NF service provider) in the above method embodiments, or by the second network element. A method performed by a network element (or NF service consumer), or a method performed by a third network element (or NRF).

An embodiment of the present application further provides a communication system, where the communication system includes the first network element, the second network element, and the third network element in the foregoing embodiments.

Those skilled in the art can clearly understand that for the convenience and brevity of description, the explanations and beneficial effects of the relevant content in any communication device provided above can refer to the corresponding method embodiments provided above, and are not repeated here. repeat.

The embodiment of the present application does not specifically limit the specific structure of the execution subject of the method provided in the embodiment of the present application, as long as the program that records the code of the method provided in the embodiment of the present application can be executed according to the method provided in the embodiment of the present application Just communicate. For example, the subject of execution of the method provided by the embodiment of the present application may be a terminal device or a network device, or a functional module in the terminal device or network device that can call a program and execute the program.

Various aspects or features of the present application can be implemented as a method, apparatus, or article of manufacture using standard programming and/or engineering techniques. The term "article of manufacture" as used herein may encompass a computer program accessible from any computer readable device, carrier or media.

Wherein, the computer-readable storage medium may be any available medium that can be accessed by a computer, or a data storage device such as a server or a data center integrated with one or more available media. Usable media (or computer-readable media) may include, but are not limited to, magnetic media or magnetic storage devices (for example, floppy disks, hard disks (such as removable hard disks), magnetic tapes), optical media (for example, optical disks, compact discs, etc.) , CD), digital versatile disc (digital versatile disc, DVD, etc.), smart cards and flash memory devices (such as erasable programmable read-only memory (EPROM), card, stick or key drive, etc. ), or semiconductor media (such as solid state disk (SSD), U disk, read-only memory (ROM), random access memory (RAM), etc. can store programs The medium of the code.

Various storage media described herein can represent one or more devices and/or other machine-readable media for storing information. The term "machine-readable medium" may include, but is not limited to, wireless channels and various other media capable of storing, containing and/or carrying instructions and/or data.

It should be understood that the memory mentioned in the embodiments of the present application may be a volatile memory or a nonvolatile memory, or may include both volatile memory and nonvolatile memory. Among them, the non-volatile memory can be read-only memory (read-only memory, ROM), programmable read-only memory (programmable ROM, PROM), erasable programmable read-only memory (erasable PROM, EPROM), electrically programmable Erases programmable read-only memory (electrically EPROM, EEPROM) or flash memory. The volatile memory may be random access memory (RAM). For example, RAM can be used as an external cache. As an example and not limitation, RAM may include the following forms: static random access memory (static RAM, SRAM), dynamic random access memory (dynamic RAM, DRAM), synchronous dynamic random access memory (synchronous DRAM, SDRAM) , double data rate synchronous dynamic random access memory (double data rate SDRAM, DDR SDRAM), enhanced synchronous dynamic random access memory (enhanced SDRAM, ESDRAM), synchronous connection dynamic random access memory (synchlink DRAM, SLDRAM) and Direct memory bus random access memory (direct rambus RAM, DR RAM).

It should be noted that when the processor is a general-purpose processor, DSP, ASIC, FPGA or other programmable logic devices, discrete gate or transistor logic devices, or discrete hardware components, the memory (storage module) may be integrated in the processor.

It should also be noted that the memories described herein are intended to include, but are not limited to, these and any other suitable types of memories.

In the several embodiments provided in this application, it should be understood that the disclosed devices and methods may be implemented in other ways. For example, the device embodiments described above are only illustrative. For example, the division of the above units is only a logical function division. In actual implementation, there may be other division methods. For example, multiple units or components can be combined or can be Integrate into another system, or some features may be ignored, or not implemented. In addition, the mutual coupling or direct coupling or communication connection shown or discussed may be through some interfaces, and the indirect coupling or communication connection of devices or units may be in electrical, mechanical or other forms.

The units described above as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place, or may be distributed to multiple network units. Part or all of the units can be selected according to actual needs to implement the solutions provided in this application.

In addition, each functional unit in each embodiment of the present application may be integrated into one unit, each unit may exist separately physically, or two or more units may be integrated into one unit.

In the above embodiments, all or part of them may be implemented by software, hardware, firmware or any combination thereof.

When implemented using software, it may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on the computer, the processes or functions according to the embodiments of the present application will be generated in whole or in part. A computer can be a general purpose computer, special purpose computer, computer network, or other programmable device. For example, the computer can be a personal computer, a server, or a network device, etc. Computer instructions may be stored in or transmitted from one computer-readable storage medium to another computer-readable storage medium, e.g. Coaxial cable, optical fiber, digital subscriber line (DSL)) or wireless (such as infrared, wireless, microwave, etc.) to another website site, computer, server or data center. Regarding the computer-readable storage medium, reference may be made to the above description.

The above is only a specific embodiment of the application, but the scope of protection of the application is not limited thereto. Any person familiar with the technical field can easily think of changes or substitutions within the technical scope disclosed in the application. All should be covered within the scope of protection of this application. Therefore, the protection scope of the present application shall be determined by the protection scope of the claims and the specification.

Claims

A method for authorization verification, characterized by comprising:

The first network element receives a service request message associated with the second network element, the service request message is used to request the first network element to provide the first service to the second network element, and the service request message includes an access token A card, the access token includes an identifier of a first network function NF set, and the identifier of the first NF set is used to indicate a service requesting network element to which the access token is applicable;

The first network element determines whether to authorize the second network element to use the first service according to the identifier of the first NF set.
The method according to claim 1, wherein the first network element determines whether to authorize the second network element to use the first service according to the identifier of the first NF set, comprising:

determining, by the first network element, whether the second network element belongs to the first NF set indicated by the identifier of the first NF set;

If the second network element does not belong to the first NF set, the first network element refuses to provide the first service to the second network element.
The method according to claim 1 or 2, wherein the first network element determines whether to authorize the second network element to use the first service according to the identifier of the first NF set, including:

The first network element sends a first verification request message to a third network element, where the first verification request message is used to request to verify whether the second network element belongs to the first NF indicated by the identifier of the first NF set. NF set, the first verification request message includes the identifier of the second network element and the identifier of the first NF set;

The first network element receives indication information from the third network element;

determining, by the first network element, whether the second network element belongs to the first NF set according to the indication information;

If the second network element does not belong to the first NF set, the first network element refuses to provide the first service to the second network element.
The method according to claim 1 or 2, wherein the first network element determines whether to authorize the second network element to use the first service according to the identifier of the first NF set, including:

The first network element sends a second verification request message to the third network element, where the second verification request message is used to request to obtain the identifier of the NF set to which the second network element belongs, and the second verification request message includes an identifier of the second network element;

receiving, by the first network element, an identification of a second NF set from the third network element;

If the identifier of the second NF set is different from the identifier of the first NF set, the first network element refuses to provide the first service to the second network element.
The method according to claim 1 or 2, wherein the first network element determines whether to authorize the second network element to use the first service according to the identifier of the first NF set, including:

The first network element sends a third verification request message to a third network element, where the third verification request message is used to request to obtain the identifier of the NF included in the first NF set indicated by the identifier of the first NF set, The third verification request message includes an identification of the first NF set;

receiving, by the first network element, identifiers of NFs included in the first set of NFs from the third network element;

When the identifier of the NF included in the first NF set does not include the identifier of the second network element, the first network element refuses to provide the first service to the second network element.
The method according to any one of claims 3 to 5, wherein the third network element is a network storage function network element.
The method according to claim 2, wherein the determining by the first network element whether the second network element belongs to the first NF set indicated by the identifier of the first NF set comprises:

The first network element determines whether the second network element belongs to the first NF set according to the configuration information and the identifier of the second network element, and the configuration information includes the NFs in the first NF set An identifier and/or an identifier of the NF set to which the second network element belongs.
The method according to any one of claims 1 to 7, further comprising:

The first network element obtains the identity of the second network element from the certificate of the second network element; or,

The first network element receives the client certificate statement CCA of the second network element from the service communication proxy network element, wherein the CCA includes the identifier of the second network element; or,

The first network element acquires the identifier of the second network element from the service request message.
The method according to any one of claims 1 to 8, wherein the access token further includes an identifier of a fourth network element, and the identifier of the fourth network element is used to indicate that the access token is issued by The fourth network element requests to obtain, and the fourth network element belongs to the first NF set indicated by the identifier of the first NF set;

The method also includes:

The first network element determines that the identifier of the second network element is different from the identifier of the fourth network element.
The method according to any one of claims 1 to 9, further comprising:

When the first network element determines that the second network element belongs to the first NF set indicated by the identifier of the first NF set, the first network element saves the identifier of the second network element and An association relationship of identifiers of the first NF set.
The method according to any one of claims 1 to 10, wherein the access token further includes other verification conditions, and the method further includes:

The first network element determines whether to authorize the second network element to use the first service according to the other verification conditions, where the other verification conditions include one or more of the following:

The service provider's NF instance ID, the service provider's NF type, the service provider's single network slice selection auxiliary information, the service provider's network slice instance ID, the ID of the NF set to which the desired service provider belongs, the desired service name, the validity time of said access token.
The method according to claim 11, wherein the first network element determines whether to authorize the second network element to use the first service according to the identifier of the first NF set, comprising:

When the second network element belongs to the first NF set indicated by the identifier of the first NF set, and the other verification conditions pass the verification, the first network element authorizes the second network element to use the First service.
The method according to claim 11, wherein the first network element determines whether to authorize the second network element to use the first service according to the identifier of the first NF set, comprising:

When the second network element does not belong to the first NF set indicated by the identifier of the first NF set, and/or any one of the other verification conditions fails the verification, the first network element rejects Provide services to the second network element.
A method for authorization verification, characterized by comprising:

The third network element receives a first verification request message from the first network element, where the first verification request message includes the identifier of the second network element and the identifier of the first NF set, and the first verification request message Used to request to verify whether the second network element belongs to the first NF set indicated by the identifier of the first NF set;

determining, by the third network element, whether the second network element belongs to the first NF set according to the identifier of the second network element and the identifier of the first NF set;

The third network element sends indication information to the first network element, where the indication information is used to indicate whether the second network element belongs to the first NF set.
The method according to claim 14, wherein the third network element determines whether the second network element belongs to the first NF set according to the identifier of the second network element and the identifier of the first NF set. NF collections, including:

determining, by the third network element, the identifier of the NF set to which the second network element belongs according to the identifier of the second network element and the configuration information of the second network element;

When the identifier of the NF set to which the second network element belongs matches the identifier of the first NF set, the third network element determines that the second network element belongs to the first NF set, otherwise the second network element The three network elements determine that the second network element does not belong to the first NF set.
The method according to claim 14, wherein the third network element determines whether the second network element belongs to the first NF set according to the identifier of the second network element and the identifier of the first NF set. NF collections, including:

The third network element determines the identities of the NFs in the first NF set according to the identities of the first NF set and the configuration information of the first NF set;

If the identifier of the NF in the first NF set includes the identifier of the second network element, the third network element determines that the second network element belongs to the first NF set, otherwise the second network element The three network elements determine that the second network element does not belong to the first NF set.
A method for authorization verification, characterized by comprising:

The first network element receives a service request message associated with the second network element, the service request message is used to request the first network element to provide the first service to the second network element, and the service request message includes an access token A card, the access token includes an identifier of a first network function NF set, and the identifier of the first NF set is used to indicate a service requesting network element to which the access token is applicable;

The first network element sends a first verification request message to a third network element, where the first verification request message is used to request to verify whether the second network element belongs to the first NF indicated by the identifier of the first NF set. NF set, the first verification request message includes the identifier of the second network element and the identifier of the first NF set;

The third network element receives a first verification request message from the first network element;

determining, by the third network element, whether the second network element belongs to the first NF set according to the identifier of the second network element and the identifier of the first NF set;

The third network element sends indication information to the first network element, where the indication information is used to indicate whether the second network element belongs to the first NF set;

receiving, by the first network element, the indication information from the third network element;

determining, by the first network element, whether the second network element belongs to the first NF set according to the indication information;

If the second network element does not belong to the first NF set, the first network element refuses to provide the first service to the second network element.
The method according to claim 17, wherein the third network element determines whether the second network element belongs to the first NF set according to the identifier of the second network element and the identifier of the first NF set. NF collections, including:

The third network element determines the identity of the NF set to which the second network element belongs according to the identity of the second network element and the configuration information of the second network element;

When the identifier of the NF set to which the second network element belongs matches the identifier of the first NF set, the third network element determines that the second network element belongs to the first NF set, otherwise the second network element The three network elements determine that the second network element does not belong to the first NF set.
The method according to claim 17, wherein the third network element determines whether the second network element belongs to the first NF set according to the identifier of the second network element and the identifier of the first NF set. NF collections, including:

The third network element determines the identities of the NFs in the first NF set according to the identities of the first NF set and the configuration information of the first NF set;

If the identifier of the NF in the first NF set includes the identifier of the second network element, the third network element determines that the second network element belongs to the first NF set, otherwise the second network element The three network elements determine that the second network element does not belong to the first NF set.
A method for authorization verification, characterized by comprising:

The first network element receives a service request message associated with the second network element, the service request message is used to request the first network element to provide the first service to the second network element, and the service request message includes an access token A card, the access token includes an identifier of a first network function NF set, and the identifier of the first NF set is used to indicate a service requesting network element to which the access token is applicable;

The first network element sends a second verification request message to the third network element, where the second verification request message is used to request to obtain the identifier of the NF set to which the second network element belongs, and the second verification request message includes an identifier of the second network element;

The third network element receives a second verification request message from the first network element;

In response to the second verification request message, the third network element sends an identifier of a second NF set to the first network element, where the second NF set is the NF set to which the second network element belongs;

receiving, by the first network element, an identification of a second NF set from the third network element;

If the identifier of the second NF set is different from the identifier of the first NF set, the first network element refuses to provide the first service to the second network element.
A method for authorization verification, characterized by comprising:

The first network element receives a service request message associated with the second network element, the service request message is used to request the first network element to provide the first service to the second network element, and the service request message includes an access token A card, the access token includes an identifier of a first network function NF set, and the identifier of the first NF set is used to indicate a service requesting network element to which the access token is applicable;

The first network element sends a third verification request message to a third network element, where the third verification request message is used to request to obtain the identifier of the NF included in the first NF set indicated by the identifier of the first NF set, The third verification request message includes an identification of the first NF set;

receiving, by the third network element, the third verification request message from the first network element;

In response to the third verification request message, the third network element sends the identifiers of the NFs included in the first NF set to the first network element;

receiving, by the first network element, identifiers of NFs included in the first set of NFs from the third network element;

In a case where the identifier of the NF included in the first NF set does not include the identifier of the second network element, the first network element refuses to provide the first service to the second network element.
A device for authorization verification, characterized in that it includes:

A transceiver unit, configured to receive a service request message associated with the second network element, the service request message is used to request the first network element to provide the first service, the service request message includes an access token, and the access token The token includes an identifier of a first network function NF set, and the identifier of the first NF set is used to indicate a service requesting network element to which the access token is applicable;

A processing unit, configured to determine whether to authorize the second network element to use the first service according to the identifier of the first NF set.
The device according to claim 14, wherein the processing unit is specifically used for:

determining whether the second network element belongs to the first NF set indicated by the identifier of the first NF set;

If the second network element does not belong to the first NF set, refuse to provide the first service to the second network element.
The device according to claim 14 or 15, wherein the transceiver unit is specifically used for:

sending a first verification request message to a third network element, where the first verification request message is used to request to verify whether the second network element belongs to the first NF set indicated by the identifier of the first NF set, and the first NF set a verification request message including the identity of the second network element and the identity of the first NF set;

receiving indication information from the third network element;

The processing unit is specifically used for:

determining whether the second network element belongs to the first NF set according to the indication information;

If the second network element does not belong to the first NF set, refuse to provide the first service to the second network element.
The device according to claim 14 or 15, wherein the transceiver unit is specifically used for:

Sending a second verification request message to a third network element, where the second verification request message is used to request to obtain the identifier of the NF set to which the second network element belongs, where the second verification request message includes the logo;

receiving an identification of a second NF set from the third network element;

The processing unit is specifically used for:

If the identifier of the second NF set is different from the identifier of the first NF set, refusing to provide the first service to the second network element.
The device according to claim 14 or 15, wherein the transceiver unit is specifically used for:

Sending a third verification request message to a third network element, where the third verification request message is used to request to obtain the identity of the NF included in the first NF set indicated by the identity of the first NF set, the third verification request the message includes an identification of said first set of NFs;

receiving identities of NFs included in the first set of NFs from the third network element;

The processing unit is specifically used for:

Refusing to provide the first service to the second network element when the identifiers of the NFs included in the first NF set do not include the identifier of the second network element.
The device according to any one of claims 16 to 18, wherein the third network element is a network storage function network element.
The device according to claim 15, wherein the processing unit is specifically used for:

According to the configuration information and the identifier of the second network element, determine whether the second network element belongs to the first NF set, the configuration information includes the identifier of the NF in the first NF set and/or the An identifier of the NF set to which the second network element belongs.
The device according to any one of claims 14 to 20, wherein the transceiver unit is also used for:

Obtain the identity of the second network element from the certificate of the second network element; or,

Receive the client certificate statement CCA of the second network element from the service communication proxy network element, wherein the CCA includes the identifier of the second network element; or,

Obtain the identifier of the second network element from the service request message.
The device according to any one of claims 14 to 21, wherein the access token further includes an identifier of a fourth network element, and the identifier of the fourth network element is used to indicate that the access token is issued by The fourth network element requests to obtain, and the fourth network element belongs to the first NF set indicated by the identifier of the first NF set;

The processing unit is also used for:

It is determined that the identifier of the second network element is different from the identifier of the fourth network element.
The device according to any one of claims 14 to 22, wherein the processing unit is further configured to:

In a case where it is determined that the second network element belongs to the first NF set indicated by the identifier of the first NF set, storing an association relationship between the identifier of the second network element and the identifier of the first NF set.
The device according to any one of claims 14 to 23, wherein the access token further includes other verification conditions, and the processing unit is further configured to:

Determine whether to authorize the second network element to use the first service according to the other verification conditions, where the other verification conditions include one or more of the following:

The NF instance identifier of the service provider, the NF type of the service provider, the single network slice selection auxiliary information of the service provider, the network slice instance identifier of the service provider, the identifier of the NF set to which the service provider belongs, the first service The service name of the , the valid time of the access token.
The device according to claim 24, wherein the processing unit is specifically used for:

Authorize the second network element to use the first service when the second network element belongs to the first NF set indicated by the identifier of the first NF set and the other verification conditions pass the verification.
The device according to claim 24, wherein the processing unit is specifically used for:

When the second network element does not belong to the first NF set indicated by the identity of the first NF set, and/or any one of the other verification conditions fails to pass the verification, reject the request to the second network element yuan to provide services.
A communication device, characterized by comprising:

A transceiver unit, configured to send a first verification request message from a first network element, where the first verification request message includes the identifier of the second network element and the identifier of the first NF set, and the first verification request message Used to request to verify whether the second network element belongs to the first NF set indicated by the identifier of the first NF set;

a processing unit, configured to determine whether the second network element belongs to the first NF set according to the identifier of the second network element and the identifier of the first NF set;

The transceiving unit is further configured to send indication information to the first network element, where the indication information is used to indicate whether the second network element belongs to the first NF set.
The device according to claim 35, wherein the processing unit is specifically used for:

determining the identity of the NF set to which the second network element belongs according to the identity of the second network element and the configuration information of the second network element;

If the identifier of the NF set to which the second network element belongs matches the identifier of the first NF set, it is determined that the second network element belongs to the first NF set; otherwise, the third network element determines that the The second network element does not belong to the first NF set.
The device according to claim 35, wherein the processing unit is specifically used for:

determining the identities of the NFs in the first NF set according to the identities of the first NF set and the configuration information of the first NF set;

If the identifier of the NF in the first NF set includes the identifier of the second network element, determine that the second network element belongs to the first NF set; otherwise, the third network element determines that the The second network element does not belong to the first NF set.
A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program, and when the computer program is run on a computer, the computer executes the computer program described in any one of claims 1 to 13. method, or perform a method as claimed in any one of claims 14 to 16.
A computer program product, characterized in that it includes computer program instructions, and when the computer program instructions run on a computer, the computer executes the method according to any one of claims 1 to 13, or executes the method according to claim 14. The method described in any one of to 16.
A communication device, characterized in that it comprises at least one processor, and the at least one processor is configured to execute computer programs or instructions stored in a memory to perform the method according to any one of claims 1 to 13, Or perform the method as described in any one of claims 14-16.