WO2023016255A1

WO2023016255A1 - Network function service authorization method and apparatus

Info

Publication number: WO2023016255A1
Application number: PCT/CN2022/108155
Authority: WO
Inventors: 邓娟; 张博; 宗在峰
Original assignee: 华为技术有限公司
Priority date: 2021-08-09
Filing date: 2022-07-27
Publication date: 2023-02-16
Also published as: CN115915137A

Abstract

A network function service authorization method and apparatus, which are used for authorizing a service consumer network function to access a first service (i.e. a service that is requested by the consumer network function). The method comprises: a service consumer network function sending a first request message to a network repository function according to first information, wherein the first request message comprises second information and the service name of a first service, the first request message is used for requesting the acquisition of an access token, and the access token is used for checking authorization when the service consumer network function accesses the first service; and the service consumer network function receiving a first response message from the network repository function.

Description

A network function service authorization method and device

Cross References to Related Applications

This application claims the priority of the Chinese patent application submitted to the China Patent Office on August 9, 2021 with the application number 202110909303.5 and the application name "A Method and Device for Authorizing Network Function Services", the entire contents of which are incorporated herein by reference. Applying.

technical field

The present application relates to the field of communication technologies, and in particular to a method and device for network function service authorization.

Background technique

The fifth generation communication system provides a service architecture. Under the service architecture, the service provider network function provides services, and the service consumer network function accesses the services provided by the service provider network function. At present, the standard protocol defines the authorization mechanism when the service consumer network function accesses the service provided by the service provider network function, so as to ensure that only the authorized service consumer network function can access the service provided by the service provider network function.

When a service provider network function or a service provider network function instance receives a service request from a service consumer network function, due to some reason (for example, the service provider network function or the service provider network function instance is in an overloaded state Or about to enter the overload state, in order to alleviate the overload state or avoid entering the overload state), the service provider network function can perform Hypertext Transfer Protocol (Hypertext Transfer Protocol, HTTP) redirection, that is, other available service provider network functions or other available service provider network function instances (that is, target service provider network function or target service provider network function instance) to notify the service consumer network function, so that the service consumer network function can access the target service provider The network function or service of this target service provider network function instance. However, since the service consumer web function may not have been authorized to access the services of the target service provider web function or the services of the target service provider web function instance, the service consumer web function cannot be provided from the target service The provider web function or the target service provider web function instance obtains the service.

Contents of the invention

Embodiments of the present application provide a network function service authorization method and device for authorizing a service consumer's network function to access a first service (that is, a service requested by the consumer's network function).

According to the first aspect, a network function service authorization method is provided, including: the service consumer network function sends a first request message to the network warehouse function according to the first information, and the first request message includes the second information and the first service The service name of the service, the first request message is used to request to obtain an access token, and the access token is used for the authorization check when the service consumer network function accesses the first service; the service consumer network function A first response message is received from the web repository function.

Wherein, the first information may be used to indicate that the service consumer network function satisfies the condition of sending the first request message including the second information to request to acquire the access token. The second information may include service provider network function information, for example, the second information is the network function type or network function set identifier of the service provider network function that provides the first service, or the second service provider network function (i.e. Instance ID of the second service provider network function). The first service is the service requested by the service consumer network function.

In the above implementation, since the first request message sent by the service consumer network function carries the service name of the first service and the second information, the first service is the service requested by the service consumer network function, and the second information is The network function type or network function set identifier of the service provider network function that provides the first service, or the instance identifier of the target service provider network function, through the first request message, the service consumer network function can obtain an access token, The access token includes second information for an authorization check when the service consumer web function accesses the first service (i.e. the requested service) provided by the service provider web function of the web function type , or provided by the service provider network function of the network function set, or provided by the target service provider network function. In this way, when redirection occurs (that is, when the service consumer network function needs to make a service request to the target service provider network function (herein, the target service provider network function is also referred to as the second service provider network function)) , since the service consumer web function has obtained an access token that can be used for authorization checks when accessing the first service provided by the target service provider web function, the target service provider web function can check the The first access command is successful, and then services are provided for the service consumer network function, so that when redirection occurs, it can be ensured that the service consumer network function can obtain the service provided by the target service provider network function.

In a possible implementation manner, the first information is used to indicate that the service consumer network function supports the Hypertext Transfer Protocol HTTP redirection feature, and/or the first service supports the HTTP redirection feature, and/or Or the service provider network function that provides the first service supports the HTTP redirection feature; or, the first information includes the first indication and/or the instance identifier of the second service provider network function, and the first indication uses Indicates service access authorization failure or HTTP redirection or obtaining an access token or other service provider network functions available; or, the first information includes instance identifiers of multiple service provider network functions; the service provider The network function may provide the first service; or, the first information is used to instruct the service consumer network function to use a service communication agent to communicate with the service provider network function.

Optionally, before the service consumer network function sends the first request message to the network warehouse function according to the first information, the method further includes: the service consumer network function receives the first information.

Further, the service consumer network function receiving the first information includes: the service consumer network function receiving the first message sent by the network warehouse function or the service communication agent or the first service provider network function. information.

Among them, the first information from the first service provider network function may include the first indication (for indicating HTTP redirection, or there are other available service provider network functions, such as HTTP redirection status code) and the second service provider Information about the provider network function (i.e. the target service provider function).

Wherein, the first information from the service communication agent may include: the first indication, and may further include information of the second service provider network function (that is, the target service provider network function). Among them, the first indication may include: information used to indicate HTTP redirection or other available service provider network functions, such as HTTP redirection status code; or, used to indicate service access authorization failure or HTTP redirection or acquisition An access token or other information about the available service provider network function (ie, the indication generated by the service communication agent based on the HTTP redirection indication from the first service provider network function).

In a possible implementation manner, the second information includes: the network function type of the service provider network function requested by the service consumer network function; or, the service provider network requested by the service consumer network function The network function set identifier of the function; or, the instance identifier of the second service provider network function; or, the instance identifiers of multiple service provider network functions, and the service provider network function can provide the first service.

In a possible implementation, the response message includes any of the following: a first access token, where the first access token includes the network function type of the service provider network function, and/or the service provider A network function set identifier of a network function; or a second access token, the second access token including instance identifiers of a plurality of service provider network functions; or a plurality of third access tokens, each of the first The three access tokens respectively include an instance identifier of a service provider network function; or, the fourth access token includes the instance identifier of the second service provider network function.

Optionally, after the service consumer network function receives the first response message from the network warehouse function, the service consumer network function further includes: the service consumer network function sending the first service provider network function or the second service provider network The function or service communication agent sends a second request message, the second request message is used to request a service, and the second request message includes the first access token or the second access token or the third access token or the fourth access token.

In a possible implementation manner, before the service consumer network function sends the first request message to the network warehouse function according to the first information, the service consumer network function further includes: the service consumer network function sending the first service provider network function Or the service communication agent sends a third request message, where the third service request message is used to request the first service.

In a possible implementation manner, before the service consumer network function sends the first request message to the network warehouse function according to the first information, the service consumer network function further includes: the service consumer network function sends the first request message to the network warehouse function Four request messages, the fourth request message includes the service name of the first service, and the fourth request message is used to request to discover the first service or to discover an instance of a network function that can provide the first service .

In a second aspect, a network function service authorization method is provided, including: a service communication agent receives a first request message of a network function of a service consumer, and the first request message includes a first access token; the service communication agent sends a request to the second a service provider network function sending a second request message, the second request message including the first access token; the service communication agent receiving a second response message from the first service provider network function, The second response message includes information on the network function of the second service provider and a redirection status code, and the redirection status code is used to indicate that the service access authorization fails or the hypertext transfer protocol HTTP redirects or acquires an access token or has Other available service provider network functions; the service communication agent sends a first response message to the service consumer network function, and the first response message is used for the consumer network function to request to obtain a second access token.

In the above implementation, in the indirect communication scenario, when the service consumer network function uses the first access token to request a service from the first service provider network function, HTTP redirection occurs, and the service communication agent can receive the request from After the second response message of the first service provider network function (which includes the information of the second service provider network function and the redirection status code), send the first response message to the service consumer network function, so that the service consumer The consumer web function requests a second access token, which can be used for authorization checks when the service consumer web function accesses the requested service, so that the service consumer web function can use the second access token The token requests services from the second service provider network function (ie, the target service provider network function to which it is redirected).

Optionally, the first response message includes first information, and the first information includes a first indication and/or an instance identifier of a network function of the second service provider; wherein the first indication is used to indicate the occurrence of An HTTP redirection, or used to instruct the access consumer web function to obtain an access token, or the service access authorization failed, or there are other service provider web functions available.

In a possible implementation manner, before the service communication agent sends the first response message to the service consumer network function, it further includes:

The service communication agent determines that a first condition is satisfied; wherein the first condition includes at least one of the following conditions:

The first access token does not include the instance identifier of the second service provider network function;

said first access token cannot be used to authorize services accessing said second service provider network functionality;

The first access token can only be used to access a specific service provider network function instance or can only be used to access the services of the first service provider network function, and the specific service provider network function includes the first Service Provider Network Functions;

The first access token does not include the network function type or network function set identifier of the service provider network function;

The first access token includes the instance identifier of the first service provider network function.

Further, it also includes: if the first condition is not satisfied, the service communication agent sends a third request message to the second service provider network function, and the third request message includes the first access token.

In a possible implementation manner, after the service communication agent sends the first response message to the service consumer network function, it further includes: the service communication agent receives a fourth request sent by the service consumer network function message, the fourth request message includes the second access token; the service communication agent sends a fifth request message to the second service provider network function, and the fifth request message includes the second access token.

In a possible implementation manner, the second access token includes the instance identifier of the second service provider network function, or the network function type of the service provider network function, or the network Feature set ID.

In a third aspect, a network function service authorization method is provided, including: a network warehouse function receives a first request message from a service consumer network function, and the first request message is used to request an access token; the first request The message includes the service name of the first service requested by the service consumer network function, and the network function type or instance identifier of the requested service provider network function; the network warehouse function determines that the first condition is satisfied, and then generates the first an access token, or a second access token, or a plurality of third access tokens; the web repository function sends a first response message to the service consumer web function, the first response message including the first an access token, or the second access token, or the plurality of third access tokens.

In a possible implementation manner, the determining that the first condition is satisfied by the network warehouse function includes: the network warehouse function receives the first information from the service consumer network function, and then determines that the first condition is satisfied; or, The local configuration of the network warehouse function indicates that the first service or the requested service provider network function supports hypertext transfer protocol HTTP redirection, then it is determined that the first condition is satisfied; or, the first service or the If the network function file of the requested service provider network function indicates that the first service or the feature supported by the requested service provider network function includes HTTP redirection, then it is determined that the first condition is satisfied.

In one possible implementation:

The first access token includes a network function type of the requested service provider network function, and/or a network function set identifier of the requested service provider network function;

The second access token includes instance identifiers of a plurality of service provider network functions; wherein the service provider network function can provide the first service;

The third access token includes an instance identifier of a service provider network function that can provide the first service.

In a possible implementation manner, the first request message includes first information, and the first information is used to indicate that the service consumer network function supports HTTP redirection, or to indicate that the service consumer network function The function requests that the first service supports HTTP redirection, or is used to indicate that the service consumer network function requests the service provider network function to support HTTP redirection, or is used to indicate that the first service supports HTTP redirection, or is used to indicate The requested service provider web function supports HTTP redirection.

In a possible implementation manner, before the network warehouse function generates the first access token, the second access token, or multiple third access tokens, it further includes: the network warehouse function checks the service consumption or the service access authorization of the network function is successful.

In a fourth aspect, a communication device is provided, including: one or more processors; one or more memories; wherein, the one or more memories store one or more computer programs, and the one or more computers The program includes instructions, and when the instructions are executed by the one or more processors, the communication device is made to execute the method described in any one of the first aspect, the second aspect, and the third aspect.

In a fifth aspect, a computer-readable storage medium is provided, the computer-readable storage medium includes a computer program, and when the computer program is run on a computing device, the computing device is made to perform the above-mentioned first aspect, second aspect and The method of any one of the third aspects.

In a sixth aspect, there is provided a chip, the chip is coupled with a memory, and is used to read and execute program instructions stored in the memory, so as to realize any one of the above-mentioned first aspect, second aspect and third aspect the method described.

In a seventh aspect, a computer program product is provided. When the computer program product is invoked by a computer, the computer executes the method described in any one of the first aspect, the second aspect, and the third aspect.

For the beneficial effects of the above second to seventh aspects, please refer to the beneficial effects of the first aspect, and will not be repeated.

Description of drawings

FIG. 1 is a system architecture applicable to the embodiment of the present application;

FIG. 2 is a schematic diagram of the registration process of the service provider network function in the embodiment of the present application;

FIG. 3 is a schematic diagram of a service discovery process in an embodiment of the present application;

FIG. 4 is a schematic diagram of a service authorization flow in an embodiment of the present application;

FIG. 5 is a schematic diagram of a network function service authorization flow provided by an embodiment of the present application;

FIG. 6 is a schematic diagram of signaling interaction in a direct communication scenario based on the flow shown in FIG. 5;

FIG. 7 is a schematic diagram of signaling interaction in an indirect communication scenario based on the flow shown in FIG. 5;

FIG. 8 is a schematic diagram of another signaling interaction in a direct communication scenario based on the flow shown in FIG. 5;

FIG. 9 is a schematic diagram of another signaling interaction in an indirect communication scenario based on the flow shown in FIG. 5;

FIG. 10 is a schematic diagram of another network function service authorization flow provided by the embodiment of the present application;

FIG. 11 is a schematic diagram of a signaling interaction process in an indirect communication scenario based on the process shown in FIG. 10;

FIG. 12 is a schematic diagram of another network function authorization process provided by the embodiment of the present application;

FIG. 13 is a schematic diagram of a signaling interaction process in a direct communication scenario based on the process shown in FIG. 12;

FIG. 14 is a schematic diagram of a signaling interaction process in an indirect communication scenario based on the process shown in FIG. 12;

FIG. 15 is a schematic structural diagram of a service consumer network function provided by an embodiment of the present application;

FIG. 16 is a schematic structural diagram of a service communication agent provided by an embodiment of the present application;

FIG. 17 is a schematic structural diagram of a network warehouse function provided by an embodiment of the present application;

FIG. 18 is a schematic structural diagram of a communication device provided by an embodiment of the present application.

Detailed ways

The application will be described in further detail below in conjunction with the accompanying drawings.

The embodiment of the present application provides a service authorization method and device, which are used to authorize the service consumer's network function to access the first service (that is, the service requested by the consumer's network function). Wherein, the method and the device described in this application are based on the same technical concept. Since the principles of the method and the device to solve the problem are similar, the implementation of the device and the method can be referred to each other, and the repetition will not be repeated.

In the description of the present application, terms such as "first" and "second" are only used for the purpose of distinguishing descriptions, and cannot be understood as indicating or implying relative importance, nor can they be understood as indicating or implying order. It should be noted that the order of appearance of the first, second, etc. is not limited in the present application, for example, the fifth may appear first, and then the third, which is not limited in the present application.

In the description of this application, "at least one (item)" refers to one (item) or multiple (items), and multiple (items) refers to two (items) or more than two (items).

A possible communication system architecture to which the service authorization method provided in the embodiment of the present application is applicable may include: a radio access network, a terminal device, and a core network. For example, FIG. 1 shows a possible example of a communication system architecture. In the communication system architecture, a radio access network may include an access network device. The core network may include: network exposure function (network exposure function, NEF) network element, policy control function (policy control function, PCF) network element, unified data management function (unified data management, UDM) network element, application function (application function, AF) network element, authentication server function (authentication server function, AUSF) network element, access and mobility management function (access and mobility management function, AMF) network element, session management function network element (session management function, SMF) network elements, network data analysis function (network data analytic function, NWDAF) network elements, network storage function (network repository function, NRF) network elements, user plane function (user plane function, UPF) network elements, may also include network Slice selection function (network slice selection function, NSSF) network element. Among them, the AMF network element and the access network device can be connected through the N2 interface, the access network device and the UPF can be connected through the N3 interface, the SMF and the UPF can be connected through the N4 interface, and the AMF network element and the UE can be connected through the N3 interface. It can be connected through the N1 interface. The name of the interface is just an example, which is not specifically limited in this embodiment of the present application. It should be understood that the embodiment of the present application is not limited to the communication system shown in FIG. 1, and the names of the network elements shown in FIG. The limit of network elements. The functions of each network element or device in the communication system are described in detail below:

Terminal equipment, also called user equipment (UE), mobile station (MS), mobile terminal (MT), etc., is a device that provides voice and/or data connectivity to users. equipment. For example, the terminal device may include a handheld device with a wireless connection function, a vehicle-mounted device, and the like. At present, the terminal equipment can be: mobile phone (mobile phone), tablet computer, notebook computer, palmtop computer, mobile Internet device (mobile internet device, MID), wearable device, virtual reality (virtual reality, VR) equipment, augmented reality ( augmented reality (AR) equipment, wireless terminals in industrial control, wireless terminals in self-driving, wireless terminals in remote medical surgery, and smart grids wireless terminals in transportation safety (transportation safety), wireless terminals in smart city (smart city), or wireless terminals in smart home (smart home), etc. Wherein, the terminal device in FIG. 1 is shown as a UE, which is only used as an example, and does not limit the terminal device.

(R) AN equipment: equipment that provides access for terminal equipment, including radio access network (radio access network, AN) equipment and access network (access network, AN) equipment. The RAN device is mainly a 3GPP network wireless network device, and the AN may be an access network device defined by non-3GPP. RAN equipment: mainly responsible for radio resource management, quality of service (QoS) management, data compression and encryption on the air interface side. The access network equipment may include base stations in various forms, for example: macro base stations, micro base stations (also called small stations), relay stations, access points, and the like. In systems using different radio access technologies, the names of devices with base station functions may be different, for example, in a 5G system, it is called RAN or gNB (5G NodeB), etc.

Access and mobility management function element (AMF): It can be used to manage the access control and mobility of terminal equipment. In practical applications, it includes mobility management in the network framework of long term evolution (LTE) The mobility management function in the entity (mobility management entity, MME) has added the access management function, which can be responsible for the registration of terminal equipment, mobility management, tracking area update process, reachability detection, and session management function network elements selection, mobile state transition management, etc. For example, in 5G, the access and mobility management function network element can be an AMF network element, as shown in Figure 1; in future communications, such as 6G, the access and mobility management function network element can still be an AMF network element , or have other names, which are not limited in this application. When the access and mobility management functional network element is an AMF network element, the AMF can provide the Namf service.

Session management function network element (SMF): It can be used for session management of terminal equipment (including session establishment, modification and release), selection and reselection of user plane function network elements, and Internet protocol (internet protocol, IP) of terminal equipment Address allocation, quality of service (QoS) control, etc. For example, in 5G, the network element with the session management function can be an SMF network element, as shown in Figure 1; in future communication, such as in 6G, the network element with the session management function can still be an SMF network element, or have other names. Applications are not limited. When the network element with the session management function is the SMF network element, the SMF can provide the Nsmf service.

Network Data Analysis Element (NWDAF): Can be used for big data analysis. For example, acquire data, analyze the data, and provide the analysis results to other network elements or application functions. Wherein, when NWDAF implements data analysis, the functions of NWDAF may also include: training models, and performing inferences based on the trained models. Specifically, the functions of the NWDAF can be decomposed into multiple independent instances, and these instances exist independently; or, one NWDAF instance provides certain functions. For example, the functions provided by an NWDAF instance are: model training and providing models to other NWAF embodiments; for another example, an NWDAF embodiment may not provide model training functions, but obtain models from other NWDAF instances, and then perform data processing based on the obtained models. analyze. For example, in 5G, the network data analysis network element can be a NWDAF network element, such as shown in Figure 1; in future communications, such as 6G, the data analysis network element can still be a NWDAF network element, or have other names, this application No limit. When the network data analysis network element is an NWDAF network element, the NWDAF network element can provide the Nnwdaf service.

User plane function network element (UPF): responsible for forwarding and receiving user data in terminal equipment. It can receive user data from the data network and transmit it to the terminal device through the access network device; the UPF network element can also receive user data from the terminal device through the access network device and forward it to the data network. The transmission resources and scheduling functions that provide services for terminal equipment in the UPF network element are managed and controlled by the SMF network element. For example, in a 5G system, the user plane functional network element can be a UPF network element, such as shown in Figure 1; in future communications, such as 6G, the user plane functional network element can still be a UPF network element, or have other names, This application is not limited.

Policy control function network element (PCF): mainly supports the provision of a unified policy framework to control network behavior, provides policy rules to the control layer network functions, and is responsible for obtaining user subscription information related to policy decisions. For example, in 5G, the network element with the policy control function can be a PCF network element, as shown in Figure 1; in future communication, such as in 6G, the network element with the policy control function can still be a PCF network element, or have other names. Applications are not limited. When the policy control function network element is a PCF network element, the PCF network element can provide the Npcf service.

Network Opening Function Network Element (NEF): It mainly supports the secure interaction between the 3GPP network and third-party applications. For example, in 5G, the network element with the network opening function can be a NEF network element, as shown in Figure 1; in future communication, such as in 6G, the network element with the network opening function can still be a NEF network element, or have other names. Applications are not limited. When the network opening function network element is an NEF, the NEF can provide Nnef services to other network function network elements.

Application function element (AF): It mainly supports interaction with the 3GPP core network to provide services, such as influencing data routing decisions, policy control functions, or providing some third-party services to the network side. For example, in 5G, the application function network element can be an AF network element, such as shown in Figure 1; in future communications, such as 6G, the application function network element can still be an AF network element, or have other names, which are not covered by this application. Do limited. When the application function network element is an AF network element, the AF network element can provide the Naf service.

Unified data management function network element (UDM): used to generate authentication credentials, user identification processing (such as storing and managing user permanent identities, etc.), access authorization control and subscription data management, etc. For example, in 5G, the unified data management function network element can be a UDM network element, such as shown in Figure 1; in future communications, such as 6G, the unified data management function network element can still be a UDM network element, or have other names , which is not limited in this application. When the network element with the unified data management function is a UDM network element, the UDM network element can provide the Nudm service.

Authentication server function network element (AUSF): used to support the authentication function when the UE accesses the network, and to support the authentication and authorization process specific to the network element slice. For example, in 5G, the authentication server function network element can be an AUSF network element, such as shown in Figure 1; in future communication, such as in 6G, the authentication server function network element can still be an AUSF network element, or have other names. Applications are not limited. When the authentication server function network element is an AUSF network element, the AUSF network element can provide the Nausf service.

The Network Repository Function Network Element (NRF) can be used to provide a network element discovery function, and provide network element information corresponding to the network element type based on the request of other network elements. NRF network elements also provide network element management services, such as network element registration, update, de-registration, and network element status subscription and push. For example, in 5G, the network element with network storage function can be an NRF network element, such as shown in Figure 1; in future communication, such as in 6G, the network element with network storage function can still be an NRF network element, or have other names. Applications are not limited. When the network element with the network storage function is an NRF network element, the NRF network element can provide the Nnrf service.

Data network (data network, DN) refers to a service network that provides data transmission services for users, such as IP multimedia service (IP multi-media service, IMS), Internet (Internet), etc. The UE accesses the DN through a protocol data unit (protocol data unit, PDU) session established between the UE and the DN.

Service communication proxy (service communication proxy, SCP), which can be used to provide one or more of the following functions: forwarding and routing messages to target network functions or target network function services, forwarding and routing messages to next-hop SCPs, agent discovery (that is, SCP performing service discovery or performing discovery of a network function providing a service or performing discovery of an instance of a network function providing a service), indirect communication (that is, the service consumer network function and the target service provider network function communicate through SCP), communication security, load Balance, overload control, etc.

Among them, each network element in the core network can also be called a functional entity or device or network function, which can be a network element implemented on dedicated hardware, or a software instance running on dedicated hardware, or a An example of the above virtualization function, for example, the above virtualization platform may be a cloud platform.

In this application, a network element may also be referred to as a network function or function or entity, which is not limited in this application.

It should be noted that the architecture of the communication system shown in Figure 1 is not limited to include only the network elements shown in the figure, but may also include other devices not shown in the figure, and the specific application will not list them here. .

It should be noted that the embodiment of the present application does not limit the distribution form of each network element, and the distribution form shown in FIG. 1 is only exemplary, and is not limited in this application.

For the convenience of description, the subsequent description of this application will take the network element shown in FIG. 1 as an example, and the XX network element will be directly referred to as XX for short. It should be understood that the names of all network elements in this application are only examples, and may be called other names in future communications, or the network elements involved in this application may be identified by other entities or devices with the same functions in future communications. Instead, the present application does not limit this. A unified explanation is made here, and no further details will be given later.

It should be noted that the communication system shown in FIG. 1 does not constitute a limitation to the applicable communication system of the embodiment of the present application. The communication system architecture shown in FIG. 1 is a 5G system architecture. Optionally, the method in the embodiment of the present application is also applicable to various communication systems in the future, such as 6G or other communication networks.

It should be noted that the service provider network function involved in the embodiment of the present application refers to a network function that provides network function services, and the service provider network function may also be called a network function service provider (NF service producer), service provider or other Name; service consumer network function refers to the network function that accesses or uses the network function service. The service consumer network function can also be called the network function service consumer (NF service consumer), service consumer or other names, and this application does not make any reference to it. limited. In this application, a network service may also be referred to as a service. Exemplarily, the service provider network function can also be named according to the specific service provided, and similarly, the service consumer network function can also be named according to the specific service requested, which is not limited in this application.

Exemplarily, the service provider network function may be any network element or device or entity that can provide network function services in the above-mentioned communication system, and the service consumer network function may be any network element or device that requests network function services in the above-mentioned communication system or entity. For example, the service provider network function can be AUSF, which can provide authentication services, and the service consumer network function can be AMF, and AMF can request authentication services from AUSF, which is not limited in this application.

The network function of the service consumer and the network function of the service provider can communicate directly, which is called direct communication; the network function of the service consumer and the network function of the service provider can communicate indirectly, that is, through the service communication proxy (SCP ) to communicate, which is called indirect communication.

The standard protocol specifies the registration process of the service provider's network function in the NRF (Network Repository Function). Through this registration process, the service provider's network function can provide the network function file (NF profile) to the NRF. Exemplarily, Fig. 2 shows the NF registration process. In step 1, the service provider network function sends a message (such as Nnrf_NFManagement_NRFRegister Request) for requesting registration to the network warehouse function (such as NRF), which includes the network function file (NF profile) of the service provider network function, the NF The profile includes the instance identifier (nfInstanceId) and network function type (nfType) of the service provider's network function. The NF profile may also include a network service list (nfServiceList). The network service list (nfServiceList) includes one or more network function services (NFService), and each network function service includes a service name (serviceName), a service instance (serviceInstanceId) and the like. Each NFService may also include the characteristics (supportedFeatures) supported by the service instance. supportedFeatures may include HTTP 307 redirection or HTTP 308 redirection, which is used to indicate that the service provider network function or the service provider network function instance, or the service or the service instance supports the HTTP 307 feature and/or supports the HTTP 308 feature. The service provider network function or service provider network function instance or service or service instance supports HTTP 307 and/or 308 features, that is, the service provider network function can send a temporary redirect to the service consumer network function or SCP (ie 307 temporary redirect ) or the HTTP status code (HTTP status code) of permanent redirection (that is, 308 permanent redirection), and information about the network function of the target service provider to which it is redirected. In step 2, the NRF saves the NF profile of the service provider's network function. In step 3, the NRF sends a response message to the request to the service provider network function.

In this article, supporting HTTP 307 and/or 308 features may also be referred to as supporting redirection or as supporting HTTP redirection or supporting service request redirection or supporting request redirection. In this article, the service provider network function supports hypertext transfer protocol (hypertext transfer protocol, HTTP) redirection, which also means that the service provider network function instance supports HTTP redirection or the service of the service provider network function supports HTTP redirection , or the service instance of the service provider network function supports HTTP redirection.

In this article, the HTTP status code (HTTP status code) of temporary redirection (ie 307 temporary redirect) or permanent redirection (ie 308 permanent redirect) is also called HTTP redirection status code.

A service consumer web function may perform web function service discovery before sending a service request to a service provider web function. Exemplarily, FIG. 3 shows a network function service discovery process. In step 1, the service consumer network function sends a message (such as Nnrf_NFDiscovery_Request) to NRF to request a discovery service, which includes the type of the requested network function, the network function type (NF type) of the service consumer network function, etc. The service name, etc. of the service including the requested network function. When the message includes the service name of the service of the requested network function, the message may also include the features supported by the service consumer's network function that needs to be supported by the requested network function service. In step 2, the NRF checks the service consumer network function's authorization for service discovery. In step 3, NRF returns a response message to the service consumer network function, if in step 2, NRF checks that the service consumer network function is authorized for service discovery, the response message includes the discovery result, which may include the validity period of the discovery result , a network function profile (NF profile) for one or more network functions. The network function file is a network function file corresponding to the network function or service discovered by the service consumer's network function request.

The service consumer web function requests an access token from the NRF before sending a message to the service provider web function requesting the service of the service provider web function. There are two types of access tokens that service consumer network functions can request from NRF:

(1) An access token used to access a network function (Network Function, NF) type service provider network function service. Herein, the access token may be referred to as an NF-type access token, that is, an access token (NF type).

(2) A service access token used to access a service provider network function instance. Herein, the access token may be referred to as an NF instance type access token, ie an access token (NF instance).

Herein, the access token may refer to an access token (NF type) or an access token (NF type) unless otherwise specified.

Fig. 4 shows the flow of obtaining an access token (NF type) by a service consumer network function. As shown in the figure, in step 1, the service consumer network function sends a message (such as Nnrf_AccessToken_Get Request) for requesting an access token to NRF, and the message includes the instance identifier of the service consumer network function, the service consumer network The service name of the service requested by the function, the NF type of the service provider network function requested by the service consumer network function, etc. In step 2, NRF checks the authorization of the service requested by the service consumer's network function access, and if the check is successful, NRF generates an access token (NF type), which includes the service provider requested by the service consumer's network function The NF type of the consumer network function, the instance identifier of the service consumer network function, the service name of the service requested by the service consumer network function, the instance identifier of the NRF, etc. In step 3, after NRF checks that the service authorization of the service consumer network function access request is successful, NRF returns a response message (such as Nnrf_AccessToken_Get Response) to the service consumer network function, which includes the generated access token (NF type ).

The process of requesting an access token (NF instance) by a service consumer network function is basically the same as the above process of requesting an access token (NF type), except that the message sent by the service consumer network function to NRF for requesting an access token Include the NF instance identifier of the service provider network function requested by the service consumer network function, and the access token (NF instance) generated and returned by NRF includes the NF of the service provider network function requested by the service consumer network function Instance ID.

After the service consumer network function obtains the access token, it sends a service request message to the service provider network function, which includes the access token obtained from NRF; the service provider network function verifies the access token , and only after successful authentication of the access token is the service provided to the service consumer web function. The service provider network function verifies that the access token includes: If the network function type of the service provider network function requested by the service consumer network function is included in the access token, the service provider network function verifies the network included in the token Whether the function type is consistent with its own network function type; if the access token includes the instance ID of the service provider network function requested by the service consumer network function, the service provider network function verifies whether the instance ID is consistent with its own instance ID unanimous.

The Hypertext Transfer Protocol (Hypertext Transfer Protocol) redirection mechanism is defined in the standard protocol. In direct communication, when the service provider network function in the overload state or about to enter the overload state receives the service request from the service consumer network function, in order to alleviate the overload state or avoid entering the overload state, the service provider network function can perform HTTP redirection, that is, sending the HTTP status code (HTTP status code) "307 temporary redirect" to the service consumer's network function. The HTTP redirection status code is used to notify the service consumer's network function that there are other available service providers The network function, that is, the target service provider network function can provide the service requested by the service consumer network function. At the same time, the service provider network function also sends the information of the target service provider network function to the service consumer network function, including the uniform resource identifier (uniform resource identifier, URI) and/or instance identifier of the target service provider network function. The service consumer network function sends a service request to the target service provider network function according to the received "307 temporary redirect" HTTP redirection status code and the information of the target service provider network function. In order to distinguish it from the target service provider network function, in this paper, for the convenience of explanation, the service provider network function to which the service consumer network function first sends a service request is called the initial service provider network function (Initial NF service producer) Alternatively referred to as the first SPNF, the target SPNF may be referred to as the second SPNF.

In the HTTP redirection mechanism defined above, the service provider network function needs to support HTTP redirection, that is, the service provider network function can send the HTTP redirection status code and the information of the target service provider network function to the service consumer network function; It is also required that the service consumer network function supports HTTP redirection, that is, the service consumer network function sends a service request message to the target service provider network function after receiving the HTTP redirection status code and the information of the target service provider network function.

In indirect communication, the service provider network function and the service consumer network function communicate through the service communication proxy (SCP). The service consumer network function sends a message for requesting the service of the service provider network function to the SCP, and the message includes the requested service and information of the service provider network function, for example, may include an instance identifier of the service provider network function. The SCP sends a service requesting message to the service provider network function according to the received information of the service provider network function, and the message includes the service requested by the service consumer network function. In the above process, after the service provider network function receives the request message sent by the SCP, it can initiate HTTP redirection, that is, the service provider network function sends a response message to the SCP, including the HTTP redirection status code (HTTP status code) and information about the network capabilities of the target service provider. After receiving the response message, the SCP sends the HTTP redirection status code and the information of the target service provider network function to the service consumer network function, and the service consumer network function Provider network function information, send a service request to the target service provider network function. The SCP may also directly send a service request message to the target service provider network function according to local configuration, instead of sending the received HTTP redirection status code and target service provider information to the service consumer network function. In this paper, for the convenience of explanation, the service provider network function to which the SCP first sends a service request is called the initial service provider network function (Initial NF service producer) or the first service provider network function, and the target service provider The provider network function may be referred to as a second service provider network function.

In the HTTP redirection mechanism defined above, the service provider network function and SCP are required to support redirection, that is, the service provider network function can send the HTTP redirection status code and the information of the target service provider network function to the service consumer network function , after the SCP receives the HTTP redirection status code and the information of the network function of the target service provider, it can forward the received HTTP redirection status code and the information of the network function of the target service provider to the service consumer, or provide or network function to send a service request. In the HTTP redirection mechanism defined above, the network function of the service consumer is also required to support HTTP redirection, that is, after receiving the status code of the HTTP redirection and the information of the network function of the target service provider, the network function of the service consumer provides The Desire function sends a service request message.

Whether in direct communication or indirect communication, when HTTP redirection occurs, the service consumer network function may not be able to access the services provided by the target service provider network function because the corresponding access token is not obtained.

To this end, the embodiment of the present application provides a network function service authorization method and device, which can enable the service consumer network function to obtain services from the target service provider network function when HTTP redirection occurs.

In order to describe the technical solution of the embodiment of the present application more clearly, the method and device for service authorization provided by the embodiment of the present application will be described in detail below in conjunction with the accompanying drawings.

It should be noted that, in this paper, the first service provider network function can also be expressed as the first service provider network function instance, or the initial service provider network function, or the initial service provider network function instance; the second service provider The provider network function can also be expressed as a second service provider network function instance, or a target service provider network function, or a target service provider network function instance; the first service can also be expressed as a first service instance.

A network function service authorization method provided in the embodiment of the present application may be applicable to the communication system shown in FIG. 1 . Referring to Figure 5, the specific process of the method may include:

S501: The service consumer network function sends a first request message to the Network Repository Function (NRF) according to the first information, the first request message includes the second information and the service name of the first service, and the first request message is used to request Obtain an access token, which is used for authorization check when the service consumer network function accesses the first service. The first request message further includes a network function type or a network function instance of the requested network function;

Wherein, the first service is a service requested by the service consumer network function.

In a possible implementation manner, the first information is used to indicate that the service consumer network function, and/or the first service, and/or the service provider network function that provides the first service, and/or the requested service provision Or the network function supports the HTTP redirection feature. That is, if at least one of the service consumer web function, the first service, the service provider web function providing the first service, and the requesting service provider web function supports the HTTP redirect feature, then the service consumer The second information should be included in the first request message sent by the network function to the NRF. The service consumer network function may check the service consumer network function, and/or the first service, and/or the service provider network function providing the first service, and/or Whether the requested service provider network function supports HTTP redirection. Exemplarily, the service consumer network function checks whether it supports HTTP redirection by checking local configuration information, and if the local configuration information indicates support, then the service consumer network function supports HTTP redirection. Exemplarily, the service consumer network function checks whether the first service, or the service provider network function providing the first service, or the requested service provider network function supports HTTP redirection, by checking the , or the network function of the service provider that provides the first service, or the network function file (NF Profile) corresponding to the network function of the service provider of the request, if the first service or the service provider of the request in the network function file If the features supported by the network function, or the network function of the service provider providing the first service include HTTP redirection, then the first service, or the network function of the service provider providing the first service, or the requested service provider network Function supports HTTP redirection. For an example of this implementation manner, refer to related content in FIG. 6 or FIG. 7 below.

In a possible implementation manner, the first information includes instance identifiers of multiple service provider network functions. That is to say, if the first information obtained by the service consumer network function includes instance identifiers of multiple service provider network functions, for example, the consumer network function obtains the first information from the NRF during the service discovery process, the second If the information includes multiple service provider network function instance identifiers, the first request message sent by the service consumer network function to the NRF includes the second information. For an example of this implementation manner, refer to related content in FIG. 6 or FIG. 7 below.

In a possible implementation manner, the first information indicates that there are multiple service provider network function instances that provide the first service. That is to say, if there are multiple service provider network function instances providing the first service, the service consumer network function should include the second information in the first request message sent to the NRF.

In a possible implementation manner, the first information indicates that there are multiple network function instances in the network function set of the service provider network function that provides the first service. That is to say, if the network function set of the service provider network function providing the first service includes multiple network function instances, the first request message sent by the service consumer network function to the NRF should include the second information.

In a possible implementation manner, the first information is used to instruct the service consumer network function to use a service communication proxy (service communication proxy, SCP) to communicate with the service provider network function. That is to say, if the service consumer network function uses the SCP to communicate with the service provider network function, the first request message sent by the service consumer network function to the NRF should include the second information. Exemplarily, the service consumer network function may determine whether to use the SCP to communicate with the service provider network function through local configuration. For an example of this implementation manner, refer to related content in FIG. 7 below.

In a possible implementation manner, the first information includes the first indication and/or information about the network function of the second service provider. That is to say, if the first information includes the first indication and/or the information of the second service provider network function, the service consumer network function should include the second information in the first request message sent to the NRF. In this document, the information of the second service provider network function may include the URI of the second service provider network function and/or the instance identifier of the second service provider network function. The first indication is used to indicate service access authorization failure or HTTP redirection or access token acquisition or other available service provider network functions. In direct communication, the first information may be sent by the first service provider network function to the service consumer network function. For an example of this implementation, refer to the relevant content in FIG. 8 below. In indirect communication, the first information may be sent by the SCP to the service consumer network function after receiving the HTTP redirection status code sent by the first service provider network function and the information of the second service provider network function. For an example of this implementation manner, refer to related content in FIG. 9 or FIG. 10 or FIG. 11 below.

In a possible implementation, the first information is a message, which is used to notify the service consumer network function, service access authorization failure or HTTP redirection or access token or other available service provider network Function; in this implementation manner, the first information optionally includes information about the network function of the second service provider. In direct communication, the first information may be sent by the first service provider network function to the service consumer network function. For an example of this implementation, refer to the relevant content in FIG. 8 below. In indirect communication, the first information may be sent by the SCP to the service consumer network function after receiving the HTTP redirection status code sent by the first service provider network function and the information of the second service provider network function. For an example of this implementation manner, refer to related content in FIG. 9 or FIG. 10 or FIG. 11 below.

Optionally, before the service consumer network function sends the first request message to the network warehouse function, the service consumer network function receives the first information. That is, the first information may be received by the service consumer network function. In a possible implementation, the first information may come from the network repository function or the service communication agent or the first service provider network function, that is, the service consumer network function may receive information from the network repository function (NRF) or The first information sent by a Service Communication Proxy (SCP) or a first service provider network function.

Exemplarily, the first information from the first service provider network function may include a first indication (for indicating HTTP redirection, or other available service provider network functions, or service access authorization failure, or obtaining access Tokens, such as HTTP redirection status codes) and information about the second service provider's network capabilities (such as URIs and instance identifiers). The second service provider network function is the target service provider network function to which HTTP is redirected. For an example of this implementation manner, refer to related content in FIG. 8 or FIG. 9 below.

Exemplarily, the first information from the SCP may include: the first indication, and/or information about the network function of the second service provider. Wherein, the first indication may include: information indicating HTTP redirection or other available service provider network functions, or service access authorization failure or HTTP redirection or access token acquisition. The information of the second service provider network function includes a URI or instance identification of the second service provider network function. The second service provider network function is the target service provider network function to which HTTP is redirected.

Exemplarily, the first information from the SCP may be a message, which is used to notify the service consumer network function, service access authorization failure or HTTP redirection or access token or other available service provider network function . The message optionally includes information about the network function of the second service provider. The information of the second service provider network function includes a URI or instance identification of the second service provider network function. The second service provider network function is the target service provider network function to which HTTP is redirected. For an example of this implementation manner, refer to related content in FIG. 10 or FIG. 11 below.

In a possible implementation manner, the second information may include: the NF type and/or NF Set identifier of the service provider network function requested by the service consumer network function, or the service provider network that provides the first service The network function type and/or network function set (NF Set) identification of the function, or the network function type and/or network function set (NF Set) identification of the network function of the first service provider, or the network function of the second service provider Network function type and/or network function set (NF Set) identification. The service provider network function providing the first service includes a first service provider network function and a second service provider network function. Since the first request message includes the second information, the network repository function also includes the second information in the corresponding access token generated after checking that the authorization of the service consumer network function is successful. Because the network function type included in the access token is the same as the network function type of the second service provider, and/or the network function set identifier included in the access token is the same as the network function set identifier of the second service provider, therefore The service consumer web function can use the token to access the first service instance of the second service provider web function.

In this paper, a network function set (NF Set) may include one or more network functions, specifically, may include one or more instance identifiers of network functions, and these network functions have the same network function type and can provide the same service.

Herein, the network function type of the service provider network function requested by the service consumer network function, the network function type of the second service provider network function, and the network function type of the first service provider network function are all the same. The NF Set identifier of the service provider network function requested by the service consumer network function, the NF Set identifier of the second service provider network function, and the NF Set identifier of the first service provider network function are all the same.

In a possible implementation manner, the second information may include the instance identifier of the network function of the second service provider, and since the first request message includes the instance identifier of the network function of the second service provider, the network repository function is After verifying that the network function service access authorization of the service consumer is successful, the generated access token also includes the instance identifier of the network function of the second service provider. The service consumer can thus use the access token to access the first service of the second service provider.

In a possible implementation manner, the second information may include instance identifiers of multiple service provider network functions, for example, these service provider network functions can all provide the first service, such as the first service provider network function, or a second service provider network function. Since the first request message includes the instance identifiers of multiple service provider network functions, the access token generated by the network warehouse function also includes the instance identifiers of multiple service provider network functions, including the second service provider network function , so the service consumer can use the generated access token to access the first service of the second service provider.

S502: The Network Repository Function (NRF) generates an access token.

After receiving the first request message sent by the service consumer network function, the NRF can check the service access authorization of the service consumer network function. After the check is successful, the NRF generates an access token, which includes the service name of the first service and the second information, and send the generated access token to the service consumer network function through the first response message, otherwise NRF refuses to generate an access token for the service consumer network function, and sends the generated access token to the service consumer network function The first response message, which includes the reason for the error, such as authorization failure.

The NRF generates access tokens, ie the NRF generates a first access token, or a second access token, or at least two third access tokens, or a fourth access token. NRF sends the generated access token to the service consumer network function through the first response message, that is, NRF sends the first access token, or the second access token, or at least two third access tokens, or the fourth The access token is sent to the service consumer web function. See the description of the first access token, or the second access token, the third access token, and the fourth access token in S503.

S503: The service consumer network function receives the first response message from the NRF.

In a possible implementation manner, the access token in the first response message may include a first access token, the first access token includes the NF type of the service provider network function, and/or the service provider The NF set identifier for the network function. The type of the first access token may be "access token (NF type)". The service provider network function is the service provider network function requested by the service consuming network function, or the service provider network function that can provide the first service, or the first service provider network function, or the first service provider network function . Exemplarily, the first access token includes second information, that is, the first access token includes the NF type and/or NF Set identifier of the service provider network function requested by the service consumer network function, or the second service The NF type and/or NF Set identification of the provider network function, or the NF type and/or NF Set identification of the first service provider network function. Since the NF type included in the first access token is the same as the NF type of the second service provider's network function, and/or, the NF Set identifier included in the first access token is the same as the NF set of the second service provider's network function The NF Set identifiers are the same, so when redirection occurs, the service consumer network function can use the first access token to access the first service of the second service provider network function. For example, when a service consumer web function requests an access token from the NRF before sending a message requesting a service to a first service provider web function or a second service provider web function, the NRF may take the first The access token is sent to the service consumer web function. For an example of this implementation manner, refer to related content in FIG. 6 or FIG. 7 .

In a possible implementation manner, the access token in the first response message may include a second access token, where the second access token includes instance identifiers of multiple service provider network functions. Exemplarily, the second access token includes second information. It should be understood that the second information includes instance identifiers of multiple service provider network functions, and the service provider network function instances included in the second access token The identifiers are all service provider network function instance identifiers in the second information. Exemplarily, these providers can all provide the first service, that is, these service providers include the network function of the second service provider, that is, the second access token includes the instance identifier of the network function of the second service provider, so When redirection occurs, the service consumer web function can use the second access token to access the first service of the second service provider web function. The type of the second access token may be "Access Token (NF Instance)". Exemplarily, when the service consumer network function requests an access token from the NRF before sending a service request to the first service provider network function or the second service provider network function, the NRF can use the second access token Sent to this service consumer web function. For an example of this implementation manner, refer to related content in FIG. 6 or FIG. 7 .

In a possible implementation manner, the access token in the first response message may include multiple third access tokens, and each third access token includes an instance identifier of a service provider network function, the A service provider network function may provide the first service, such as a first service provider network function and a second service provider network function. The third access function includes the second information. It can be understood that the instance identifier of the service provider network function in each third access token is the instance identifier of the plurality of service provider network functions in the second information. one. Thus, when redirection occurs, the service consumer web function can access the first service of the second service provider web function using the third access token comprising the instance identification of the second service provider web function. The type of the third access token may be "Access Token (NF Instance)". Exemplarily, when the service consumer network function sends a service request to the first service provider network function or the second service provider network function, when the NRF requests access tokens from the NRF, the multiple third access The token is sent to the service consumer web function. For an example of this implementation manner, reference may be made to related content in FIG. 5 .

In a possible implementation manner, the access token in the first response message may include a fourth access token, where the fourth access token includes the instance identifier of the network function of the second service provider. The fourth access token includes the second information. It can be understood that the second information includes the instance identifier of the network function of the second service provider, and the instance identifier in the fourth access token also includes the instance identifier of the network function of the second service provider , the second information. When redirection occurs, the service consumer web function can use the fourth access token to access the first service of the second service provider web function. The type of the fourth access token may be "Access Token (NF Instance)". Exemplarily, after the service consumer network function receives the first information from the first service provider network function or SCP, wherein the first information includes the instance identifier of the second service provider network function, the service consumer network function Sending a first request message to the NRF for requesting to obtain an access token, where the first request message includes the received instance identifier of the network function of the second service provider. The NRF sends a fourth token to the service consumer web function, which includes the instance identifier of the second service provider web function. An example of this implementation manner may refer to related content in FIG. 8 or FIG. 9 or FIG. 10 or FIG. 11 .

Optionally, the above process may further include the following steps: after receiving the first response message from the NRF, the service consumer network function sends the second response message to the first service provider network function or the second service provider network function or the service communication agent A request message, the second request message is used to request a service, and the second request message includes the first access token or the second access token or the third access token or the fourth access token.

Exemplarily, after obtaining the access token in the first response message, the service consumer network function may send a second request message (that is, the requested message). The service request message may include the first access token or the second access token or the third access token. For an example of this implementation manner, refer to related content in FIG. 6 or FIG. 7 below.

Exemplarily, after obtaining the access token in the first response message, the service consuming network function may send a second request message (ie, a message for service request) to the second service provider network function. The service request message may include the first access token or the second access token or the third access token or the fourth access token. For an example of this implementation manner, refer to related content in FIG. 8 , FIG. 9 , or FIG. 10 or FIG. 11 below.

Optionally, the above process may further include the following step: before the service consumer network function receives the first information, send a third request message to the first service provider network function or the service communication agent, and the third service request message is used for To request said first service (ie the service requested by the consumer network function), the third request message includes a fifth access token. That is, after the service consumer network function sends the third request message (that is, the message for service request) to the first service provider network function (in the direct communication scenario) or the SCP (in the indirect communication scenario), it receives the first A first message sent by a service provider network function or SCP. According to the first information, the service consumer network function sends a first request message to the NRF to request to obtain an access token. In a possible implementation, before the service consumer network function sends the first request to the NRF, the service consumer checks the fifth access token, and if the second condition is met in the fifth access token, the service consumer network function sends the NRF Send the first request message, otherwise the service consumer does not send the first request message to the NRF, but directly initiates a service request message to the SCP or the second service provider network function, wherein the message includes the fifth access token. The second condition is: the fifth access token includes the instance identifier of the first service provider network function, and/or, the fifth access token does not include the NF type of the service provider network function, and/or, the fifth access The token does not include the NF Set identity of the service provider network function, and/or, the fifth access token does not include the NF Set identity and the NF type of the service provider network function, and/or the fifth access token does not include the second The instance ID of the service provider network function. That is, if the fifth access token includes the instance identity of the first service provider network function, and/or, the fifth access token does not include the NF type of the service provider network function, and/or, the fifth access token does not include The NF Set identity of the service provider network function, and/or, the fifth access token does not include the NF Set identity and NF type of the service provider network function, and/or the fifth access token does not include the second service provider network If the instance identifier of the function is used, the service consumer network function sends a first request message to the NRF, which includes the second information. Otherwise if the fifth access token includes the instance identity of the second service provider network function, and/or, the fifth access token includes the NF type of the service provider network function, and/or, the fifth access token includes the service provider If the NF Set identifier of the provider network function, and/or, the fifth access token includes the NF Set identifier and NF type of the service provider network function, then the service consumer network function directly initiates the usage to the SCP or the second service provider network function A message for requesting a service, wherein the message includes a fifth access token.

For an example of this implementation manner, refer to related content in FIG. 8 , FIG. 9 , or FIG. 10 or FIG. 11 below.

Optionally, the above process may further include the following steps: before the service consumer network function receives the first information, send a fourth request message to the NRF, the fourth request message includes the first service (that is, the consumer network function request service), the fourth request message is used to request to discover the first service or to discover a network function instance that can provide the first service. That is, the service consumer network function first sends a fourth request message to the NRF to perform service discovery, and the NRF can send multiple service provider network function network function files (NF profiles) to the service consumer network function, including service provider Instance identifications of or network functions, and the network functions may provide the first service. It can be understood that the network function of the service consumer can obtain the identifiers (that is, the first information) of multiple service provider network functions from the NRF. An example of a service discovery process may refer to the process shown in FIG. 3 .

In the process shown in FIG. 5 above, since the first request message sent by the service consumer network function carries the service name and second information of the first service, the first service is the service requested by the service consumer network function. The second information is the network function type of the service provider network function providing the first service or the network function set identifier of the service provider network function providing the first service or the second service provider network function (that is, the target service provider or the network function type of the first service provider network function or the network function set identification of the first service provider network function or the network function type of the second service provider network function or the second service provider The network capability set ID of the network function. Through the first request message, the service consumer web function can obtain an access token, the access token including the second information. The access token is used for an authorization check when the service consumer web function accesses the first service (ie the requested service) of the second service provider web function. In this way, when a redirection occurs, the service consumer web function needs to access the first service of the second service provider web function, and since the service consumer web function has obtained an access token, the access token can be used to access the second service provider web function. The first service-time authorization check of the service provider web function, so the second service provider web function can check the access token successfully, and then serve the service consumer web function, so that when the redirect occurs, It can be guaranteed that the service consumer network function can obtain the service provided by the second service provider network function.

Referring to Figure 6, it is a schematic flow diagram of a network function service authorization method in the direct communication scenario in the embodiment of the present application. As shown in the figure, the flow may include:

Step 0: The service consumer web function determines or receives the first information before requesting the access token.

In a possible implementation, the service consumer network function determining the first information includes checking whether the service consumer network function, and/or the requested service, and/or the requested service provider network function support HTTP redirection. If supported, the service consumer network function determines the first information, that is, it determines that the service consumer network function, and/or the requested service, and/or the requested service provider network function supports HTTP redirection, that is, the first information uses Used to represent service consumer web functions, and/or requested services, and/or requested service provider web functions that support the HTTP redirection feature, or used to represent service consumer web functions, requested services, and requested service providers At least one of the network functions supports the HTTP redirection feature. The service requested here is the first service; the requested service provider network function may be the first service provider network function, or a service provider network function that provides the first service. It can be understood that the service provider network function providing the first service includes the first service provider network function and the second service provider network function.

Here, the first information indicates that the service consumer network function, and/or the first service, and/or the service provider network function providing the first service support HTTP redirection.

In a possible implementation, the service consumer network function receives the first information, including the service consumer network function receiving the NF Profile of multiple network functions sent by NRF or the instance identifiers of multiple network functions, where these network functions can provide the first One serving. The first information here includes NF Profiles of multiple network functions or instance identifiers of multiple network functions. It can be understood that, before receiving the first information, the network function of the service consumer sends a message for requesting service discovery to the NRF, the message includes the service name of the first service, and the NRF sends the discovery result to the service consumer, including the first One piece of information, that is, network function files (NF profiles) of multiple network functions or instance identifiers of multiple network functions. Each NF Profile includes the instance identifier of the network function. These network functions can all provide the first service.

In a possible implementation, the determination of the first information by the service consumer network function includes checking whether there are multiple service provider network function instances that can provide the first service. If so, the service consumer network function determines the first information, that is, determines that there are multiple service provider network function instances providing the first service. Here, the first information indicates that there are multiple service provider network function instances providing the first service.

In a possible implementation, the service consumer network function determines the first information, including checking whether there are multiple network function instances in the network function set of the service provider network function that can provide the first service, and if so, the service consumer network The function determines the first information, that is, it is determined that there are multiple network function instances in the network function set of the service provider network function that can provide the first service. The first information here is used to indicate that there are multiple network function instances in the network function set of the service provider network function that can provide the first service.

In this document, the HTTP redirection feature is also referred to as HTTP redirection for short.

Optionally, when the service consumer network function checks whether it supports HTTP redirection, it can be based on the local configuration. If the local configuration indicates that the service consumer network function supports HTTP redirection, it indicates that the service consumer network function supports HTTP redirection .

Optionally, when the service consumer network function checks whether the requested service provider network function or the requested service (that is, the first service) or the requested service instance (that is, the first service instance) supports HTTP redirection, it may be based on Configure locally or check against the NF Profile obtained from NRF. In a possible implementation, in the service discovery process, the NRF returns the NF Profile to the service consumer network function. If the supported features (supportedFeatures) in the NF Profile of the requested service provider network function include HTTP redirection, it indicates that the requested server network function or the requested service or the requested service instance supports HTTP redirection. If the features (supportedFeatures) supported by the first service or the first service instance in the NF Profile include HTTP redirection, it indicates that the first service or the first service instance supports HTTP redirection.

Step 1: The service consumer network function sends a message for requesting an access token to the NRF according to the first information, and the message includes the second information. This message corresponds to the first request message in FIG. 5 .

The service consumer network function sends a message for requesting an access token to the NRF according to the first information, the message includes the service name of the first service and the second information, it should be understood that the service consumer network function determines or receives After the first information, a message for requesting an access token is sent to the NRF, and the message should include the second information. That is,

If the service consumer web function, and/or the requested service, and/or the requested service provider web function supports HTTP redirection, the service consumer web function sends a message requesting an access token to the NRF, the message shall include the second information; or

If at least one of the service consumer web function, the requested service, and the requested service provider web function supports HTTP redirection, the service consumer web function sends a message requesting an access token to the NRF, in which shall include the second information; or

If the first information received by the network function of the service consumer includes NF Profiles of multiple network functions or instance identifiers of multiple network functions, the network function of the service consumer sends a message for requesting an access token to the NRF, in which shall include the second information; or

If there are multiple service provider network function instances that can provide the first service, the service consumer network function sends a message for requesting an access token to the NRF, and the message should include the second information;

If there are multiple network function instances in the network function set of the service provider network function that can provide the first service, the service consumer network function sends a message for requesting an access token to the NRF, and the message should include the second information;

The second information includes: the NF type and/or NF Set identification of the requested service provider network function, or the NF type and/or NF Set identification of the first service provider network function, or instances of multiple service provider network functions Identify, where each service provider network function can provide the first service. It should be understood that the service provider network function requested by the service consumer may be the first service provider network function, or the service provider network function that provides the first service. The service provider network function providing the first service includes a first service provider network function and a second service provider network function. The NF type of the first service provider network function, the NF type of the second service provider network function, and the NF type of the requesting service provider network function are the same. The NF Set identifier of the first service provider network function, the NF Set identifier of the second service provider network function, and the NF Set identifier of the requested service provider network function are the same.

Step 2: The NRF checks if the service consumer network function has authorization to access the requested first service. After the check is successful, NRF generates one or more access tokens, which can include the following three situations:

Case 1: Generate a first access token, the first access token includes the NF type and/or NF set of the requested service provider network function, or the NF type and/or NF Set identifier of the first service provider network function , that is, the first access token includes the second information.

Case 2: Generate a second access token. The second access token includes instance identifiers of multiple service provider network functions, and the instance identifiers of each service provider network function in the second token are included in the second information. An instance identifier of a service provider network function of , that is, the second access token includes the second information.

Case 3: Multiple third access tokens are generated, and each third access token includes the instance identifier of the service provider network function, and the instance identifier of the service provider network function is a plurality of service providers in the second information One of the instance IDs of the network function.

The above-mentioned first access token, second access token and third access token also include the name of the first service, the instance identifier of the service consumer network function, and the like.

Step 3: The NRF returns the generated one or more access tokens to the service consumer web function.

Step 4: The service consumer network function sends a message for requesting services (ie, a service request) to the first service provider network function (ie, the initial service provider network function), and the message includes the access token obtained in step 3 Card.

Optionally, when the service consumer network function receives multiple access tokens in step 3, the service consumer network function may include the multiple received access tokens or one of the third access tokens in the message card, the third access token includes the instance identifier of the network function of the first service provider. This message corresponds to the second request message sent to the network function of the first service provider in the process shown in FIG. 5 .

Step 5: The first service provider network function may send a response message to the service consumer network function, which includes an HTTP redirect status code (such as HTTP 307 redirection or HTTP 308 redirection) and the second service provider network function (ie, the target Service Provider Network Functions) information (such as instance ID and/or URI).

Step 6: The service consumer network function sends a message for requesting services to the second service provider network function according to the HTTP redirection status code and the information of the second service provider network function, and the message includes the information received in step 3. access token for . The service request message corresponds to the second request message sent to the second service provider network function in the process shown in FIG. 5 .

In one possible implementation, when the service consumer web function receives multiple access tokens in step 3, the service consumer web function selects the access token that includes the instance ID of the second service provider web function, and in step The message in step 6 includes the access token, or the service consumer network function includes the multiple received access tokens in the message in step 6.

Step 7: The second service provider network function verifies the received access token, and if the verification passes, it provides services for the service consumer network function.

In a possible implementation, when the access token includes multiple instance identifiers of the service provider network function, the second service provider network function checks whether the instance identifier of the second service provider network function is included, and if not If yes, the verification of the access token fails, the second service provider network function does not perform the service requested by the service consumer network function, and returns a response message including an error reason. If the verification of the access token is successful, the second service provider web function performs access to the service requested by the consumer web function.

It should be noted that in the process shown in Figure 6 above, steps 1-3, the process of obtaining an access token, and steps 4-7, namely the process of service access, belong to two independent processes and can be executed independently.

Referring to FIG. 7 , it is a schematic flowchart of a network function service authorization method in the indirect communication scenario in the embodiment of the present application. As shown in the figure, the process may include:

Step 0: The service consumer web function determines or receives the first information before requesting the access token. The specific implementation of this step is basically the same as step 0 in FIG. 6 . The difference is:

In a possible implementation, the service consumer network function determines the first information, including checking whether the service consumer network function communicates with the service provider network function through the SCP. If yes, the service consumer network function determines the first information, that is, it is determined that the service consumer network function communicates with the service provider network function through the SCP. The first information here is used to indicate that the service consumer network function communicates with the service provider network function through the SCP.

Optionally, the NRF is checking whether the network function of the service consumer communicates with the network function of the service provider through the SCP, which may be checked according to local configuration. If the local configuration indicates that the network or service consumer network function supports or uses indirect communication or whether the service consumer network function communicates with the service provider network function through SCP, indicates whether the service consumer network function communicates with the service provider network function through SCP .

Step 1: The service consumer network function sends a message for requesting an access token to the NRF according to the first information, including the second information. The specific implementation of this step is basically the same as step 1 in FIG. 6 .

Step 2: The NRF checks if the service consumer network function has authorization to access the requested first service. After a successful check, NRF generates one or more access tokens. The specific implementation of this step is basically the same as step 2 in FIG. 6 .

Step 4: The Service Consumer Network Function sends a message requesting the service (ie Service Request) to the First Service Provider Network Function (ie the Initial Service Provider Network Function), which is sent to the First Service Provider via the SCP Internet function. For the content included in the message, refer to the description of related steps in FIG. 6 .

Step 5: The first service provider network function may send a response message, which includes an HTTP redirect status code (such as HTTP 307 redirection or HTTP 308 redirection) and the second service provider network function (ie, the target service provider network function) Information (such as URI and/or instance identification), the response message is sent to the service consumer web function via SCP.

Step 6: After receiving the message sent in step 4, the service consumer network function sends a service request message to the second service provider network function according to the HTTP redirection status code and the information of the second service provider network function, and the message Including the access token received in step 3, the service request message is sent to the second service provider network function via SCP. For a specific implementation manner of this step, reference may be made to the description of related steps in FIG. 6 .

Step 7: The second service provider network function verifies the received access token, and if the verification passes, it provides services for the service consumer network function. For a specific implementation manner of this step, reference may be made to the description of related steps in FIG. 6 .

In a possible implementation, the SCP directly sends the service request message to the second service provider's network function after receiving the redirection HTTP redirection status code sent by the network function of the first service provider and the information of the network function of the second service provider. 2. Service provider network functions.

It should be noted that, in the process shown in Figure 7 above, steps 1-3, namely, the process of obtaining an access token, and steps 4-7, namely, the process of service access, belong to two independent processes and can be executed independently.

Referring to FIG. 8 , it is a schematic flowchart of a network function service authorization method in the direct communication scenario in the embodiment of the present application. As shown in the figure, the process may include:

Step 1: The service consumer web function sends a message to the NRF requesting an access token. The message includes the instance identifier of the service consumer network function and the service name of the service requested by the service consumer network function. The message may also include the NF type or instance identifier of the service provider network function requested by the service consumer network function. The service requested by the service consumer network function is the first service. The service provider network function requested by the service consumer network function is the service provider network function that provides the first service, such as the first service provider network function.

Step 2: The NRF checks whether the service consumer network function has authorization to access the requested service. After a successful check, NRF generates an access token, called the fifth access token. The fifth access token may be an access token (NF type) or an access token (NF instance). If in the message in step 1, the service consumer network function includes the NF type of the requested service provider network function, then the fifth access token is (NF type), that is, the fifth access token includes the requested service provider The NF type of the network function (such as the NF type of the first service provider network function); if in the message of step 1, the service consumer network function includes the instance identifier of the requested service provider network function, then the fifth access token is (NF instance), that is, the fifth access token includes the instance identifier of the requested service provider network function (such as the instance identifier of the first service provider network function). The fifth token also includes the instance identifier of the service consumer network function, the name of the requested service, the instance identifier of the NRF, and the like.

Step 3: NRF returns the generated fifth access token to the service consumer web function.

Step 4: The service consumer network function sends a message for requesting the first service to the first service provider network function (ie, the initial service provider network function), including the fifth access token and so on.

Step 5: When the first service provider network function is in the overload state or is about to enter the overload state, it can return a response message to the service consumer network function, which includes the HTTP redirection status code and the second service provider network function (ie Target Service Provider Network Capabilities) information. Herein, the second service provider network function is the service provider network function to which HTTP is redirected, that is, the available service provider network function, that is, the service provider network function that can provide the first service. The HTTP redirection status code here corresponds to the first indication in FIG. 5 , and the HTTP redirection status code and the information of the second service provider network function (that is, the target service provider network function) correspond to the first information in FIG. 5 .

Step 6: The service consumer network function sends a message for requesting an access token to the NRF according to the received HTTP redirection status code and the information of the second service provider network function, and the message includes the second information. This message corresponds to the first request message in S501 in FIG. 5 .

In a possible implementation manner, the second information may include: information about the network function of the second service provider, such as the instance identifier of the network function of the second service provider, or the NF type of the network function of the second service provider, or the The NF type and NF Set identifier of the network function of the second service provider, or the NF Set identifier of the network function of the second service provider.

In yet another possible implementation, the second information may include: information about the network function of the first service provider, such as the NF type of the network function of the first service provider, or the NF type and NF of the network function of the first service provider Set identification, or the NF Set identification of the first service provider network function.

In a possible implementation manner, the second information may include: identifiers of multiple instances that provide network functions of the service provider. These service provider network functions meet one or more of the following conditions: the first service can be provided, and the first service provider network function belongs to the same network function set (that is, the NF Set identifier of the first service provider network function same), belong to the same network function type as the first service provider network function. It should be understood that these service provider network functions include the second service provider network function.

Optionally, before the service consumer network function sends the message for requesting the access token in step 6, the service consumer network function checks whether the second condition is satisfied, and if so, the service consumer network function performs step 6 , otherwise step 6 is not performed, but a message for requesting the first service is sent to the second service provider network function, carrying the fifth access token. The second condition is: the fifth access token includes the instance identifier of the first service provider network function, and/or, the fifth access token does not include the NF type of the service provider network function, and/or, the fifth access token The token does not include the NF Set identity of the service provider network function, and/or, the fifth access token does not include the NF Set identity and the NF type of the service provider network function, and/or the fifth access token does not include the second service The instance ID of the provider web function. That is, the fifth access token includes the instance identity of the first service provider network function, and/or, the fifth access token does not include the NF type of the service provider network function, and/or, the fifth access token does not include the service The NF Set identity of the provider network function, and/or, the fifth access token does not include the NF Set identity and NF type of the service provider network function, and/or the fifth access token does not include the second service provider network function , the service consumer network function executes step 6; otherwise, when the fifth access token includes the NF type of the service provider network function, and/or, the fifth access token includes the NF Set of the service provider network function When the identification, and/or, the fifth access token comprises the NF Set identification and the NF type of the service provider network function, and/or the fifth access token comprises the instance identification of the second service provider network function, then the service consumer The network function executes step 9. Here, the NF type of the service provider's network function can also be the NF type of the first service provider's network function or the NF type of the second service provider's network function, and the NF Set identifier of the service provider's network function can also be the first service The NF Set identifier of the provider network function or the NF Set identifier of the second service provider network function.

Step 7: NRF checks whether the service consumer network function is authorized to access the requested service. After the check is successful, an access token is generated, that is, the NRF generates a first, or a second access token, or at least two third access tokens, or a fourth access token. See the description in Figure 5 for details.

Step 8: The NRF returns the generated access token to the service consumer network function, that is, returns the generated first or second access token, or at least two third access tokens, or the fourth access token. See the description in Figure 5 for details. This message corresponds to the first response message of S503 in FIG. 5 .

Step 9: The service consumer network function sends a message for the requested service (that is, a service request) to the second service provider network function, and the message includes the obtained first access token or the second access token or the obtained first access token. A third access token or a fourth access token. This message corresponds to the second request message in FIG. 5 .

Step 10: The second service provider network function verifies the received access token, and provides services for the service consumer network function after the verification is passed.

In the process shown in Figure 8, steps 1-3, 4-5, 6-8, and 9-10 are all independent processes and can be used independently.

Referring to FIG. 9 , it is a schematic flowchart of a network function service authorization method in the indirect communication scenario in the embodiment of the present application. As shown in the figure, the process may include:

Step 1: The service consumer web function sends a message to the NRF requesting an access token. The specific implementation of this step is basically the same as step 1 in FIG. 8 .

Step 2: The NRF checks if the service consumer network function has authorization to access the requested first service. After a successful check, the NRF generates a fifth access token. The specific implementation of this step is basically the same as step 2 in FIG. 8 .

Step 3: NRF returns the generated fifth access token to the service consumer web function. Same as step 3 in Figure 8.

Step 4: The service consumer network function sends a message for requesting a service (ie, a service request) to the first service provider network function (ie, the initial service provider network function). The request message is sent to the first service provider network function via the SCP. The message includes a fifth access token.

Step 5: The first service provider network function returns a response message to the service consumer network function, which includes first information, and the first information includes the first indication and the second service provider network function (ie, the target service provider network function) information (such as URI and/or instance ID). The first indication is used to indicate HTTP redirection, or other available service provider network functions, or service access authorization failure, or access token acquisition. This response message is sent to the service consumer web function via the SCP.

Step 6: The service consumer network function sends a message for requesting an access token to the NRF according to the received first information, and the message carries the second information. The specific implementation of this step is the same as step 6 in FIG. 8 .

Step 8: The NRF returns the generated access token to the service consumer network function, that is, returns the generated first or second access token, or at least two third access tokens, or the fourth access token. See the description in Figure 5 for details.

Step 9: The service consumer network function sends a message for the requested service (that is, a service request) to the second service provider network function, and the message includes the obtained first access token or the second access token or the obtained first access token. A third access token or a fourth access token. This message corresponds to the second request message in FIG. 5 . This message is sent to the second service provider network function via the SCP.

In the process shown in Figure 9, steps 1-3, 4-5, 6-8, and 9-10 are all independent processes and can be used independently.

Referring to FIG. 10 , it is a network function service authorization flow in an indirect communication scenario provided by another embodiment of the present application. As shown, the process can include:

S1001: A service communication proxy (SCP) receives a first request message of a service consumer network function, where the first request message includes a first access token. The first request message is used to request access to the first service.

The first access token carried in the service request is obtained by the service consumer from the NRF, see the flow shown in FIG. 4 . The first token also includes the instance identifier of the service consumer network function, the name of the requested service, the instance identifier of the NRF, and the like. The requested service is the first service. The first access token may be an access token (NF type), that is, the first access token includes the NF type of the requested service provider network function, or the first access token is an access token (NF instance), that is The first access token includes the instance identifier of the requested service provider network function (such as the instance identifier of the first service provider network function). The service provider network function requested here is a network function that provides the first service, such as the first service provider network function.

S1002: The SCP sends a second request message to the first service provider network function, where the second request message includes the first access token. The second request message is used to request the first service.

S1003: The SCP receives a second response message from the network function of the first service provider, the second response message includes the information of the network function of the second service provider and an HTTP redirect status code, and the HTTP redirect status code uses Used to indicate service access authorization failures or HTTP redirects or to obtain access tokens or other service provider network functions available.

Exemplarily, after the first service provider network function receives the second request message, for some reason (for example, the first service provider network function is in the overload state or is about to enter the overload state, in order to alleviate the overload state or avoid entering the overload state), sending the second response message, which includes the HTTP redirection status code and the information of the second service provider network function (that is, the target service provider network function).

S1004: the SCP sends the first message to the service consumer network function

Exemplarily, the first information includes the first indication and/or the instance identifier of the network function of the second service provider. Wherein, the first indication is used to indicate that HTTP redirection has occurred, or used to indicate that the access consumer network function acquires an access token, or service access authorization fails, or there are other available service provider network functions. The information of the second service provider network function includes a URI or instance identification of the second service provider network function. Exemplarily, the SCP sending the first information to the service consumer network function includes sending the SCP to the service consumer network function a first response message, where the first response message includes the first information.

Exemplarily, the first information is a message, and the message is used to notify the service consumer network function that the service access authorization fails or HTTP redirects or obtains an access token or there are other service provider network functions available; the message may Optionally includes information about the network capabilities of the second service provider.

Optionally, in FIG. 10 , before the SCP sends the first information to the service consumer network function, the following step may also be included: the SCP determines that the first condition is met. That is to say, the SCP sends the first information to the service consumer network function only if the first condition is met.

Exemplarily, the first condition includes at least one of the following conditions:

the first access token cannot be used to authorize services accessing the second service provider's network functionality;

The first access token can only be used to access a specific service provider network function instance or can only be used to access the services of the first service provider network function, the specific service provider network function including the first service provider network function Function;

Further, if the above-mentioned first condition is not satisfied, the SCP sends a third request message to the second service provider network function, the third request message is a message for requesting a service, and the third request message includes the first access token.

Optionally, in FIG. 10 , after the SCP sends the first information to the service consumer network function, the service consumer network function re-requests the NRF for obtaining an access token according to the first information.

Optionally, in FIG. 10, the SCP sends the first information to the service consumer network function, and after the service consumer network function obtains the access token again, the consumer network function uses the obtained access token to the second service A provider network function requests a service. The process may include the following steps:

The service consumer network function sends a fourth request message, the fourth request message is a message for requesting a service, and the fourth request message includes a reacquired access token; after receiving the fourth request message, the SCP sends The second service provider network function sends a fifth request message, the fifth message is a service request, and the fifth request message includes the received access token. The second service provider network function verifies the received access token, and provides services for the service consumer network function after the verification is passed.

In the above implementation, in the indirect communication scenario, when the service consumer network function uses the first access token to request a service from the first service provider network function, HTTP redirection occurs, and the service communication agent can receive the request from After the second response message of the first service provider network function (which includes the information of the second service provider network function and the redirection status code), the first information is sent to the service consumer network function, so that the service consumer The network function requests to reacquire the access token, so that the service consumer network function can use the retrieved access token to request services from the second service provider network function (ie, the redirected target service provider network function).

Based on the process shown in FIG. 10, FIG. 11 shows a schematic diagram of a signaling interaction process in an indirect communication scenario. As shown in the figure, the process may include the following steps:

Step 1: The service consumer web function sends a message to the NRF requesting an access token. See step 1 in Figure 9 for details.

Step 2: The NRF checks if the service consumer network function has authorization to access the requested first service. After a successful check, the NRF generates a first access token. The first access token may be an access token (NF type) or an access token (NF instance). If in the message in step 1, the service consumer network function includes the NF type of the requested service provider network function, then the first access token is (NF type), that is, the first access token includes the requested service provider The NF type of the network function (such as the NF type of the first service provider network function); if in the message in step 1, the service consumer network function includes the instance identifier of the requested service provider network function, then the first access token is (NF instance), that is, the first access token includes the instance identifier of the requested service provider network function (such as the instance identifier of the first service provider network function). The first token also includes the instance identifier of the service consumer network function, the name of the requested service, the instance identifier of the NRF, and the like.

Step 3: NRF returns the generated first access token to the service consumer web function.

Step 4: The service consumer network function sends a message for requesting a service (ie, a service request) to the first service provider network function (ie, the initial service provider network function), and the message includes the first access token. The request message is sent to the first service provider network function via the SCP.

In this step, the service request message received by the SCP from the first service provider network function corresponds to the first request message in Figure 10; the service request message sent by the SCP to the service consumer network function corresponds to the first request message in Figure 10 Two request messages.

The specific implementation of the above steps 1-4 is the same as the corresponding steps in FIG. 9 .

Step 5: The first service provider network function returns a response message to the SCP, which includes an HTTP redirection status code, such as HTTP 307 redirection or HTTP 308 redirection, and the second service provider network function (ie, the target service provider network function ) information (such as URI and/or instance ID).

Step 6: Optionally, after receiving the response message sent by the first service provider network function and including the HTTP redirection status code and the information of the second service provider network function, the SCP determines whether the first condition is satisfied, and if it is satisfied , then proceed to step 7; if not satisfied, the SCP sends a message (not shown in the figure) for requesting a service to the second service provider network function, carrying the first access token. Exemplarily, the first condition includes at least one of the following:

If the first condition is satisfied, it means that the first access token does not include the instance identifier of the second service provider network function, and/or, the first access token cannot be used to authorize access to the service of the second service provider network function , and/or, the first access token can only be used to access a specific service provider network function instance or can only be used to access services of the first service provider network function (the specific service provider network function includes the first service provider network function A service provider network function), and/or, the first access token does not include the network function type or network function set identifier of the service provider network function, and/or the first access token includes the first service provider The instance ID of the network function. When the first condition is satisfied, the SCP executes step 7, sending the first information to the service consumer network function.

If the first condition is not satisfied, it means that the first access token includes the instance identifier of the second service provider network function, and/or, the first access token can be used to authorize access to the service of the second service provider network function, and /or, the first access token includes the network function type or network function set identifier of the service provider network function. When the first condition is not met, the SCP sends the service for the request to the second service provider network function, carrying the first access token.

Step 7: The SCP sends the first message to the CNF.

Exemplarily, the first information includes the first indication and/or the instance identifier of the network function of the second service provider. Wherein, the first indication is used to indicate that HTTP redirection has occurred, or used to indicate that the access consumer network function obtains an access token, or service access authorization fails, or there are other available service provider network functions. The information of the second service provider network function includes a URI or instance identification of the second service provider network function. Exemplarily, the SCP sending the first information to the service consumer network function includes sending the SCP to the service consumer network function a first response message, where the first response message includes the first information.

Exemplarily, the first information is a message, and the message is used to notify the service consumer network function that the service access authorization fails or HTTP redirects or obtains an access token or has other available service provider network functions; in the message Optionally includes information of the second service provider network function, including the second service provider network function URI and/or instance identifier.

Step 8. After receiving the first information from the SCP, the service consumer network function sends a message for requesting an access token to the NRF. The message may include second information, for details, refer to the second information in the process shown in FIG. 5 .

Step 9: The NRF checks whether the service consumer network function has authorization to access the requested service. After a successful check, the NRF generates an access token, including a second access token, a third access token, a plurality of fourth access tokens, or a fifth access token. See the description in step 10 for the second access token, the third access token, multiple fourth access tokens or the fifth access token.

Step 10: NRF returns the generated access token to the service consumer network function, that is, returns the generated second access token, third access token, multiple fourth access tokens or fifth access tokens. The generated access token includes the second information.

The second access token includes the NF type of the service provider network function, and/or the NF set identifier of the service provider network function. The service provider network function here is the service provider network function providing the first service, the first service provider network function, or the second service provider network function.

The third access token includes instance identifications of the plurality of service provider network functions. It should be noted that each instance identifier included in the third access token is an instance identifier in the second information. These providers can all provide the first service, that is, these service providers include the network function of the second service provider.

Each fourth access token respectively includes an instance identifier of a service provider network function that can provide the first service. The fourth access token includes the second information. It can be understood that the instance identifiers of the service provider network functions in each fourth access token are among the instance identifiers of multiple service provider network functions in the second information. one of.

The fifth access token includes the instance identifier of the second service provider network function. The fifth access token includes the second information. It can be understood that the second information includes the instance identifier of the second service provider network function, and the instance identifier in the fifth access token is the instance identifier of the second service provider network function.

Step 11: The service consumer network function sends a message for requesting a service (ie a service request) to the SCP, which includes the second access token, the third access token, the fourth access token or the fifth access token. The SCP sends a message requesting the service to the second service provider network function (i.e. the target service provider network function), which includes the second access token, third access token, fourth access token or fifth access token .

In this step, the service request message received by the SCP from the consumer network function corresponds to the fourth request message in the process shown in Figure 10; the service request message sent by the SCP to the second service provider network function corresponds to the fourth request message in Figure 10. The fifth request message in the process shown in 10.

Step 12: The second service provider network function verifies the received access token, and provides services for the service consumer network function after the verification is passed.

Referring to FIG. 12 , it is a schematic flowchart of network function service authorization provided by another embodiment of the present application. In this process, when the NRF determines that the first condition is satisfied, the first access token can be used for the service consumer network function to access the first service provider network function (that is, the initial service provider network function) and A service-time authorization check of the second service provider network function (ie the target service provider network function).

As shown in Figure 12, the process may include the following steps:

S1201: The Network Repository Function (NRF) receives a first request message from a service consumer network function, where the first request message is used to request to acquire an access token. The first request message includes the service name of the first service requested by the service consumer network function, and the network function type or instance identifier of the requested service provider network function;

Optionally, if the service consumer network function supports HTTP redirection, the first request message may further include first information, and the first information is used to indicate that the service consumer network function supports HTTP redirection, or use For indicating that the service consumer network function requests that the first service support HTTP redirection, or for indicating that the service consumer network function requests that the service provider network function supports HTTP redirection, or for indicating that the first service supports HTTP redirection The redirection, or service provider network function used to indicate the request supports HTTP redirection.

S1202: After receiving the first request message, the web repository function determines whether the first condition is satisfied, and if so, generates a first access token, or a second access token, or a plurality of third access tokens.

Optionally, the first condition is met if the web repository function receives the first information from the service consumer web function.

Optionally, if the local configuration of the web repository function indicates that the first service or the requested service provider web function supports HTTP redirection, the first condition is met.

Optionally, if the network function file (NF Profile) of the first service or the requested service provider network function indicates that the features supported by the first service or the requested service provider network function include HTTP redirection, the first condition is met.

Optionally, the first condition is satisfied if the service consumer web function communicates with the service provider web function using SCP.

The first access token includes the network function type of the requested service provider network function, or the network function set identifier of the requested service provider network function; or the requested service provider network function The network function type and network function set identification of the

The second access token includes instance identifiers of multiple service provider network functions, where the service provider network function can provide the first service. It should be understood that the service provider network function that can provide the first service includes the first service provider network function and the second service provider network function, so the second access token includes the first service provider network function The instance identifier and the second service provider network function instance identifier.

The third access token includes an instance identifier of a service provider network function, where the service provider network function can provide the first service. It should be understood that since both the first service provider network function and the second service provider network function can provide the first service, one of the third tokens includes the instance identifier of the first service provider network function, and one third The token includes the instance identifier of the network function of the second service provider,

Optionally, before the NRF generates access to the first access token, the second access token or multiple third access tokens, it also needs to check whether the service consumer network function has a service authorized to access the request. If not, the NRF does not generate any access token and returns a response message carrying the reason for the error to the service consumer web function.

Further, if the first condition is not satisfied, the NRF generates a fourth access token, for example, the fourth access token carries the instance identifier of the requested service provider network function. Optionally, before the NRF generates the fourth access token, it also needs to check whether the service consumer network function is authorized to access the requested service. If not, the NRF does not generate any access token and returns a response message carrying the reason for the error to the service consumer web function.

S1203: The network warehouse function sends a first response message to the service consumer network function, and the first response message may include the first access token, or the second service token, or multiple third access tokens .

After the service consumer network function obtains the first access token, or the second service token or multiple third access tokens, it can send a service request to the first service provider network function (that is, the initial service function) to request the first A service provider network function performs the requested service. Here the first service provider network function is the service provider network function requested by the service consumer network function.

If the first service provider network function is due to some reason (for example, the first service provider network function or the service provider network function instance is in the overload state or is about to enter the overload state, in order to alleviate the overload state or avoid entering the overload state) , the first service provider network function may perform HTTP redirection, that is, send the HTTP redirection status code and the information of the second service provider network function (ie, the target service provider network function) to the service consumer network function. The first access token, or the second access token, or a plurality of third access tokens obtained by the service consumer network function can be used for the service consumer network function to access the second service provider network function The first service is authorized so that the service consumer web function can invoke the service of the second service provider web function. In this way, even if HTTP redirection occurs, the service consumer web function can obtain services from the target service provider web function.

FIG. 13 is a schematic flow diagram in a direct communication scenario based on the flow shown in FIG. 12. As shown in the figure, the flow may include:

Step 1: The service consumer network function sends a message for requesting an access token to the NRF (that is, the first request message), which includes the service name of the requested first service, the instance identifier of the service consumer network function, and The NF type or instance identifier of the requested service provider network function.

Step 2: After the NRF receives the first request message, the NRF determines whether the first condition is met, and if so, generates a first access token, or a second access token, or a plurality of third access tokens.

Optionally, if indicated in the network function file (NF Profile) of the first service or the requested service provider network function, the features supported by the first service or the requested service provider network function include HTTP redirection, the first condition is met.

The first access token includes the network function type of the requested service provider network function, or the network function set identifier of the requested service provider network function; or the requested service provider network function The network function type and network function set identifier.

The third access token includes an instance identifier of a service provider network function, where the service provider network function can provide the first service. It should be understood that since both the first service provider network function and the second service provider network function can provide the first service, one of the third tokens includes the instance identifier of the first service provider network function, and one third The token includes the instance identifier of the network function of the second service provider.

Optionally, before the NRF generates access to the first access token, or the second access token, or multiple third access tokens, it also needs to check whether the service consumer network function has a service authorized to access the request. If not, the NRF does not generate any access token and returns a response message carrying the reason for the error to the service consumer web function.

Step 3: The network warehouse function sends a first response message to the service consumer network function, and the first response message may include a first access token, or a second service token, or a plurality of third access tokens.

Step 4: The service consumer network function sends a message for requesting a service (ie, a service request message) to the first service provider network function (ie, the initial service provider network function), and the message includes the first access token , or the second service token or the third access token.

Optionally, when the service consumer network function acquires multiple third access tokens, the service consumer network function may include the multiple third access tokens or the included third access tokens in the service request message. The access token includes an instance identifier of the first service provider network function.

Step 5: The first service provider network function may send a response message carrying the HTTP redirection status code and the information of the second service provider network function to the service consumer network function, the HTTP redirection code may be "307 temporary redirect " or "308 permanent redirect".

Step 6: After receiving the message in step 4, the service consumer network function sends a service request message to the second service provider network function according to the HTTP redirect status code and the information of the second service provider network function, including step 3 The first access token, or the second service token, or a plurality of third access tokens obtained in

In a possible implementation manner, when the service consumer network function obtains multiple third access tokens, the service consumer network function may include the multiple third access tokens in the service request message, or A third access token is included, and the third access token includes the instance identifier of the network function of the first service provider.

Step 7: The second service provider network function verifies the received access token, and if the verification is successful, executes the first service requested by the service consumer network function.

In a possible implementation manner, when the second service provider network function receives a second access token containing multiple instance identifiers of the service provider network function, the second service provider network function checks whether the second access token includes the The instance identifier of the second service provider network function, if not included, the verification of the access token fails, the second service provider network function does not execute the first service requested by the service consumer network function, and returns a response with the cause of the error information.

It should be noted that, in the process shown in Figure 13 above, steps 1-3, namely, the process of obtaining an access token, and steps 4-7, namely, the process of service access, belong to two independent processes and can be executed independently.

FIG. 14 is a schematic diagram of signaling interaction in an indirect communication scenario based on the process shown in FIG. 12. As shown in the figure, the process may include:

Step 1: The service consumer network function sends a message (namely the first request message) for requesting an access token to the NRF, see step 1 in Figure 13 for details, and will not be repeated here.

Step 2: After receiving the first request message, the network warehouse function determines whether the first condition is met, and if so, generates a first access token, or a second access token, or a plurality of third access tokens.

Step 3: The NRF sends a response message to the service consumer network function, and the message carries the first access token, or the second access token, or multiple third access tokens generated by the NRF. See step 3 in Figure 12 for details.

Step 4: The service consumer network function sends a message for requesting a service to the SCP, including the received first access token, or the second access token, or multiple third access tokens. The SCP sends a message requesting the service to the first service consumer web function, including the access token received from the service consumer web function.

Step 5: The first service provider network function sends a response message to the service consumer network function, and the response message is sent to the service consumer network function via the SCP. The response message carries the HTTP redirection status code and information about the network function of the second service provider (such as URI and/or instance identifier).

Step 6: The service request message sent by the service consumer network function to the second service provider network function is sent to the second service consumer network function via the SCP. The message includes the first access token, or the second access token, or a plurality of third access tokens.

In a possible implementation manner, when the service consumer network function obtains multiple third access tokens, the service consumer network function may include the multiple third access tokens in the service request message, or A third access token is included, and the third access token includes the instance identifier of the network function of the second service provider.

The specific implementation of the above steps 4-7 is basically the same as the relevant steps in FIG. 13 , the difference is that the communication between the service consumer network function and the service provider network function is carried out through SCP.

In a possible implementation, after receiving the redirection HTTP redirection status code sent by the network function of the first service provider and the information of the network function of the second service provider, the SCP directly sends a message to the network function of the second service provider. Send a message for the request, carrying the access token received in receive step 4.

It should be noted that, in the process shown in Figure 14 above, steps 1-3, namely, the process of obtaining an access token, and steps 4-7, namely, the process of service access, belong to two independent processes and can be executed independently.

Based on the above embodiments, the embodiment of the present application also provides a service consumer network function, as shown in FIG. 15 , the service consumer network function 1500 may include a transceiver unit 1501 and a processing unit 1502 . Wherein, the transceiver unit 1501 is used for the service consumer network function 1500 to receive information (message or data) or send information (message or data), and the processing unit 1502 is used for controlling and managing the actions of the service consumer network function 1500 . The processing unit 1502 may also control the steps performed by the transceiver unit 1501 .

In one embodiment, the network function 1500 may be used to realize the function of the service consumer network function in the embodiment shown in FIG. 5 . Specifically can include:

The transceiver unit 1501 is configured to send a first request message to the network warehouse function according to the first information, the first request message includes the second information and the service name of the first service, and the first request message is used to request access to a token, the access token is used for an authorization check when the service consumer web function accesses the first service; and, receiving a first response message from the web repository function.

In a possible implementation manner, the first information is used to indicate that at least one of the service consumer network function, the first service, and the service provider network function that provides the first service supports HTTP replay. Orientation characteristics; or, the first information includes a first indication and/or an instance identifier of a second service provider network function, and the first indication is used to indicate service access authorization failure or HTTP redirection or obtaining an access token or There are other service provider network functions available, the second service provider network function being the target service provider network function of the HTTP redirect; or. The first information includes instance identifiers of multiple service provider network functions; or, the first information is used to instruct the service consumer network function to use a service communication proxy to communicate with the service provider network function.

Optionally, the transceiving unit 1501 is further configured to: receive the first information before sending the first request message to the network warehouse function according to the first information.

Exemplarily, the transceiving unit 1501 is specifically configured to: receive the first information sent from the network warehouse function or the service communication agent or the network function of the first service provider.

In a possible implementation manner, the second information includes: the network function type of the service provider network function requested by the service consumer network function; or the service provider network function requested by the service consumer network function or the instance identifier of the second service provider network function, where the second service provider network function is the target service provider network function of HTTP redirection; or multiple services in the first information The instance ID of the provider web function.

In a possible implementation manner, the response message includes any of the following:

A first access token, where the first access token includes a network function type of the service provider network function, and/or a network function set identifier of the service provider network function;

a second access token comprising instance identifications of a plurality of service provider network functions;

A plurality of third access tokens, each of which includes an instance identifier of a service provider network function;

A fourth access token, where the fourth access token includes an instance identifier of a second service provider network function, and the second service provider network function is a target service provider network function for HTTP redirection.

Optionally, the transceiver unit 1501 is further configured to: after receiving the first response message from the network warehouse function, send a second request to the first service provider network function or the second service provider network function or the service communication agent message, the second request message is used to request a service, and the second request message includes the first access token or the second access token or the third access token or the fourth access token token.

In a possible implementation manner, the transceiver unit 1501 is further configured to: send a third request message to the first service provider network function or service communication agent before sending the first request message to the network warehouse function according to the first information, The third service request message is used to request the first service.

In a possible implementation manner, the transceiver unit 1501 is further configured to: send a fourth request message to the network warehouse function before sending the first request message to the network warehouse function according to the first information, and the fourth request message includes the service name of the first service, and the fourth request message is used to request to discover the first service or to discover a network function instance that can provide the first service.

Based on the above embodiments, this embodiment of the present application also provides a service communication agent. Referring to FIG. 16 , the service communication agent 1600 may include a transceiver unit 1601 and a processing unit 1602 . Among them, the transceiver unit 1601 is used for the service communication agent 1600 to receive information (message or data) or send information (message or data), and the processing unit 1602 is used to control and manage the actions of the service communication agent 1600 . The processing unit 1602 can also control the steps performed by the transceiver unit 1601 .

In one embodiment, the service communication agent 1600 may be used to realize the function of the service communication agent in the embodiment shown in FIG. 10 . Specifically can include:

The transceiver unit 1601 is configured to receive a first request message from a service consumer network function, the first request message includes a first access token; send a second request message to the first service provider network function, and the second request message including the first access token; receiving a second response message from the first service provider network function, the second response message including information of the second service provider network function and a redirection status code, the The redirection status code is used to indicate service access authorization failure or HTTP redirection or obtaining an access token or other available service provider network functions; and, sending a first response message to the service consumer network function, the The first response message is used for the consumer network function to request to obtain a second access token.

In a possible implementation manner, the first response message includes first information, where the first information includes the first indication and/or the instance identifier of the network function of the second service provider. Wherein, the first indication is used to indicate that HTTP redirection has occurred, or used to indicate that the access consumer network function obtains an access token, or service access authorization fails, or there are other available service provider network functions.

In a possible implementation manner, the processing unit 1602 is further configured to: before sending the first response message to the service consumer network function, determine that a first condition is satisfied; where the first condition includes at least one of the following conditions:

Optionally, the transceiver unit 1601 is further configured to: if the first condition is not met, send a third request message to the second service provider network function, the third request message includes the first access token.

Optionally, the transceiver unit 1601 is further configured to: receive a fourth request message sent by the service consumer network function after sending the first response message to the service consumer network function, the fourth request message includes the the second access token; and, sending a fifth request message to the second service provider network function, the fifth request message including the second access token.

Optionally, the second access token includes the instance identifier of the second service provider network function, or the network function type of the service provider network function, or the network function set identifier of the service provider network function.

Based on the above embodiments, the embodiment of the present application also provides a network warehouse function, as shown in FIG. 17 , the network warehouse function 1700 may include a transceiver unit 1701 and a processing unit 1702 . Among them, the transceiver unit 1701 is used for the network warehouse function 1700 to receive information (message or data) or send information (message or data), and the processing unit 1702 is used for controlling and managing the actions of the network warehouse function 1700 . The processing unit 1702 can also control the steps performed by the transceiver unit 1701 .

In one embodiment, the network warehouse function 1700 can be used to implement the functions of the network warehouse function in the embodiment shown in FIG. 12 . Specifically can include:

The transceiver unit 1701 is configured to receive a first request message from the service consumer network function, the first request message is used to request to obtain an access token, and the first request message includes the first request message requested by the service consumer network function The service name of a service, and the network function type or instance identifier of the requested service provider network function; the processing unit 1702 is used to determine that the first condition is met, then generate the first access token, or the second access token or multiple The third access token; the transceiver unit 1701 is further configured to: send a first response message to the service consumer network function, the first response message includes the first access token or the second access token card or the plurality of third access tokens.

In a possible implementation manner, the processing unit 1702 is specifically configured to: receive the first information from the service consumer network function, then determine that the first condition is met; or, the local configuration of the network warehouse function indicates that the The first service or the requested service provider network function supports HTTP redirection, then it is determined that the first condition is satisfied; or, the network function file of the first service or the requested service provider network function indicates that the If the feature supported by the network function of the first service or the requested service provider includes HTTP redirection, it is determined that the first condition is met.

In one possible implementation:

In a possible implementation, the processing unit 1702 is further configured to: before generating the first access token, the second access token, or multiple third access tokens, further include: checking the service consumer network function Authorization for service access was successful.

It should be noted that the division of units in the embodiment of the present application is schematic, and is only a logical function division, and there may be another division manner in actual implementation. Each functional unit in the embodiment of the present application may be integrated into one processing unit, each unit may exist separately physically, or two or more units may be integrated into one unit. The above-mentioned integrated units can be implemented in the form of hardware or in the form of software functional units.

If the integrated unit is realized in the form of a software function unit and sold or used as an independent product, it can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present application is essentially or part of the contribution to the prior art or all or part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium , including several instructions to make a computer device (which may be a personal computer, a server, or a network device, etc.) or a processor (processor) execute all or part of the steps of the methods described in the various embodiments of the present application. The aforementioned storage medium includes: U disk, mobile hard disk, read-only memory (read-only memory, ROM), random access memory (random access memory, RAM), magnetic disk or optical disc and other media that can store program codes. .

Based on the above embodiments, this embodiment of the present application also provides a communication device. Referring to FIG. 18 , a communication device 1800 may include a transceiver 1801 and a processor 1802 . Optionally, the communication device 1800 may further include a memory 1803 . Wherein, the memory 1803 can be set inside the communication device 1800 , and can also be set outside the communication device 1800 . Wherein, the processor 1802 may control the transceiver 1801 to receive and send information or data, and the like.

Specifically, the processor 1802 may be a central processing unit (central processing unit, CPU), a network processor (network processor, NP) or a combination of CPU and NP. The processor 1102 may further include a hardware chip. The aforementioned hardware chip may be an application-specific integrated circuit (application-specific integrated circuit, ASIC), a programmable logic device (programmable logic device, PLD) or a combination thereof. The aforementioned PLD may be a complex programmable logic device (complex programmable logic device, CPLD), a field-programmable gate array (field-programmable gate array, FPGA), a general array logic (generic array logic, GAL) or any combination thereof.

Wherein, the transceiver 1801, the processor 1802 and the memory 1803 are connected to each other. Optionally, the transceiver 1801, the processor 1802 and the memory 1803 are connected to each other by a bus 1804; the bus 1804 can be a peripheral component interconnection standard (Peripheral Component Interconnect, PCI) bus or an extended industry standard architecture (Extended Industry Standard Architecture, EISA ) bus, etc. The bus can be divided into address bus, data bus, control bus and so on. For ease of representation, only one thick line is used in FIG. 18 , but it does not mean that there is only one bus or one type of bus.

In an optional implementation manner, the memory 1803 is used to store programs and the like. Specifically, the program may include program code including computer operation instructions. The memory 1803 may include RAM, and may also include non-volatile memory (non-volatile memory), such as one or more disk memories. The processor 1802 executes the application program stored in the memory 1803 to realize the above functions, thereby realizing the functions of the communication device 1800 .

In one embodiment, the communication device 1800 can be used to implement the function of the service consumer network function in the embodiment shown in FIG. 5, or the function of the service communication agent in FIG. 10, or the function of the data warehouse function in FIG. 12, specifically Reference may be made to relevant descriptions in the corresponding processes, which will not be described in detail here.

Based on the above embodiments, this embodiment of the present application provides a communication system, which may include the service consumer network function and the service provider network function (including the first service consumer network function and/or the second (2) service consumer network function), network warehouse function, and further include communication service agent, etc.

The embodiment of the present application also provides a computer-readable storage medium, the computer-readable storage medium is used to store a computer program, and when the computer program is executed by a computer, the computer can realize the network function service authorization provided by the above-mentioned method embodiment Methods.

An embodiment of the present application further provides a computer program product, the computer program product is used to store a computer program, and when the computer program is executed by a computer, the computer can implement the method for network function service authorization provided by the above method embodiment.

The embodiment of the present application further provides a chip, including a processor, the processor is coupled with a memory, and is configured to call a program in the memory so that the chip implements the method for network function service authorization provided by the above method embodiment.

Those skilled in the art should understand that the embodiments of the present application may be provided as methods, systems, or computer program products. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.

The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to the present application. It should be understood that each procedure and/or block in the flowchart and/or block diagram, and a combination of procedures and/or blocks in the flowchart and/or block diagram can be realized by computer program instructions. These computer program instructions may be provided to a general purpose computer, special purpose computer, embedded processor, or processor of other programmable data processing equipment to produce a machine such that the instructions executed by the processor of the computer or other programmable data processing equipment produce a An apparatus for realizing the functions specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.

These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing apparatus to operate in a specific manner, such that the instructions stored in the computer-readable memory produce an article of manufacture comprising instruction means, the instructions The device realizes the function specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.

These computer program instructions can also be loaded onto a computer or other programmable data processing device, causing a series of operational steps to be performed on the computer or other programmable device to produce a computer-implemented process, thereby The instructions provide steps for implementing the functions specified in the flow chart or blocks of the flowchart and/or the block or blocks of the block diagrams.

Apparently, those skilled in the art can make various changes and modifications to the present application without departing from the scope of the present application. In this way, if these modifications and variations of the present application fall within the scope of the claims of the present application and their equivalent technologies, the present application is also intended to include these modifications and variations.

Claims

A network function service authorization method, characterized in that it includes:

The service consumer network function sends a first request message to the network warehouse function according to the first information, the first request message includes the second information and the service name of the first service, and the first request message is used to request access to a token, the access token is used for an authorization check when the service consumer network function accesses the first service;

The service consumer web function receives a first response message from the web store function.
The method of claim 1, characterized in that:

The first information is used to indicate that the service consumer network function supports the hypertext transfer protocol HTTP redirection feature, and/or the first service supports the HTTP redirection feature, and/or provides the service of the first service The provider network function supports the HTTP redirection feature; or

The first information includes a first indication and/or an instance identifier of the network function of the second service provider, and the first indication is used to indicate that service access authorization fails or HTTP redirects or obtains an access token or has other available services Provider Network Features; or

The first information includes instance identifications of a plurality of service provider network functions; the service provider network functions provide the first service; or

The first information is used to instruct the service consumer network function to use the service communication proxy to communicate with the service provider network function.
The method according to claim 2, wherein the service consumer network function further comprises: before sending the first request message to the network warehouse function according to the first information:

The service consumer network function receives the first information.
The method according to claim 3, wherein the service consumer network function receiving the first information comprises:

The service consumer web function receives the first information sent from the web warehouse function or the service communication agent or the first service provider web function.
The method according to any one of claims 1-4, wherein the second information includes:

the network function type of the service provider network function requested by said service consumer network function; or

the network function set identification of the service provider network function requested by said service consumer network function; or

Instance identification of the second service provider network function; or

Instance identifications of a plurality of service provider network functions that provide the first service.
The method according to any one of claims 1-5, wherein the first response message includes any of the following:

a first access token comprising a network function type of a service provider network function, and/or a network function set identifier of a service provider network function; or

a second access token comprising instance identifications of a plurality of service provider network functions; or

a plurality of third access tokens, each of which respectively includes an instance identifier of a service provider network function; or

A fourth access token, the fourth access token including the instance identifier of the second service provider network function.
The method according to claim 6, wherein after the service consumer network function receives the first response message from the network warehouse function, further comprising:

The service consumer network function sends a second request message to the first service provider network function or the second service provider network function or the service communication agent, the second request message is used to request the service, the second request message includes the first access token or the second access token or the third access token or the fourth access token.
The method according to any one of claims 1-7, wherein, before the service consumer network function sends the first request message to the network warehouse function according to the first information, it further includes:

The service consumer network function sends a third request message to the first service provider network function or the service communication agent, the third service request message for requesting the first service.
The method according to any one of claims 1-8, wherein, before the service consumer network function sends the first request message to the network warehouse function according to the first information, it further includes:

The service consumer network function sends a fourth request message to the network warehouse function, the fourth request message includes the service name of the first service, and the fourth request message is used to request to discover the first service A service or discovery may provide an instance of the network function of the first service.
A network function service authorization method, characterized in that it includes:

The service communication agent receives a first request message for a service consumer network function, the first request message including a first access token;

the service communication agent sending a second request message to the first service provider network function, the second request message including the first access token;

The service communication agent receives a second response message from the first service provider network function, the second response message includes information of the second service provider network function and a redirection status code, and the redirection status Code used to indicate service access authorization failure or hypertext transfer protocol HTTP redirect or obtain access token or other available service provider network functions;

The service communication agent sends a first response message to the service consumer network function, and the first response message is used for the consumer network function to request to acquire a second access token.
The method according to claim 10, wherein the first response message includes first information, and the first information includes the first indication and/or the instance identifier of the network function of the second service provider;

Wherein, the first indication is used to indicate that HTTP redirection has occurred, or used to indicate that the access consumer network function obtains an access token, or service access authorization fails, or there are other available service provider network functions.
The method according to claim 10 or 11, wherein, before the service communication agent sends the first response message to the service consumer network function, further comprising:

The service communication agent determines that a first condition is satisfied; wherein the first condition includes at least one of the following conditions:

The first access token does not include the instance identifier of the second service provider network function;

said first access token cannot be used to authorize services accessing said second service provider network functionality;

The first access token can only be used to access a specific service provider network function instance or can only be used to access the services of the first service provider network function, and the specific service provider network function includes the first Service Provider Network Functions;

The first access token does not include the network function type or network function set identifier of the service provider network function;

The first access token includes the instance identifier of the first service provider network function.
The method of claim 12, further comprising:

If the first condition is not satisfied, the service communication agent sends a third request message to the second service provider network function, and the third request message includes the first access token.
The method according to any one of claims 10-13, wherein, after the service communication agent sends the first response message to the service consumer network function, further comprising:

The service communication agent receives a fourth request message sent by the service consumer network function, and the fourth request message includes the second access token;

The service communication proxy sends a fifth request message to the second service provider network function, the fifth request message including the second access token.
The method according to any one of claims 10-14, wherein the second access token includes the instance identifier of the second service provider network function or the network function type of the service provider network function , or the network function set identifier of the service provider network function.
A communication method, characterized in that, comprising:

The service consumer network function sends a first request message to the network warehouse function according to the first information, the first request message includes the second information and the service name of the first service, and the first request message is used to request access to a token, the access token is used for an authorization check when the service consumer network function accesses the first service;

The web repository function sends a first response message to the service consumer web function.
The method of claim 16, wherein:

The first information is used to indicate that the service consumer network function supports the hypertext transfer protocol HTTP redirection feature, and/or the first service supports the HTTP redirection feature, and/or provides the service of the first service The provider network function supports the HTTP redirection feature; or

The first information includes a first indication and/or an instance identifier of the network function of the second service provider, and the first indication is used to indicate that service access authorization fails or HTTP redirects or obtains an access token or has other available services Provider Network Features; or

The first information includes instance identifications of a plurality of service provider network functions; the service provider network functions provide the first service; or

The first information is used to instruct the service consumer network function to use the service communication proxy to communicate with the service provider network function.
The method according to claim 16, wherein the second information includes:

the network function type of the service provider network function requested by said service consumer network function; or

the network function set identification of the service provider network function requested by said service consumer network function; or

Instance identification of the second service provider network function; or

Instance identifications of a plurality of service provider network functions that provide the first service.
The method according to any one of claims 16-18, wherein the first response message includes any of the following:

a first access token comprising a network function type of a service provider network function, and/or a network function set identifier of a service provider network function; or

a second access token comprising instance identifications of a plurality of service provider network functions; or

a plurality of third access tokens, each of which respectively includes an instance identifier of a service provider network function; or

A fourth access token, the fourth access token including the instance identifier of the second service provider network function.
A communication method, characterized in that, comprising:

The service consumer web function sends a first request message to the service communication agent, the first request message including the first access token;

the service communication agent sending a second request message to the first service provider network function, the second request message including the first access token;

The first service provider network function sends a second response message to the service communication agent, the second response message includes information of the second service provider network function and a redirection status code, and the redirection status code uses To indicate service access authorization failure or hypertext transfer protocol HTTP redirection or to obtain an access token or other available service provider network functions;

The service communication agent sends a first response message to the service consumer network function, and the first response message is used for the consumer network function to request to acquire a second access token.
The method according to claim 20, wherein the first response message includes first information, and the first information includes the first indication and/or the instance identifier of the network function of the second service provider;

Wherein, the first indication is used to indicate that HTTP redirection has occurred, or used to indicate that the access consumer network function obtains an access token, or service access authorization fails, or there are other available service provider network functions.
The method according to any one of claims 20-21, wherein the second access token includes the instance identifier of the second service provider network function or the network function type of the service provider network function , or the network function set identifier of the service provider network function.
The method according to any one of claims 20-22, wherein, before the service communication agent sends the first response message to the service consumer network function, further comprising:

The service communication agent determines that a first condition is satisfied; wherein the first condition includes at least one of the following conditions:

The first access token does not include the instance identifier of the second service provider network function;

said first access token cannot be used to authorize services accessing said second service provider network functionality;

The first access token can only be used to access a specific service provider network function instance or can only be used to access the services of the first service provider network function, and the specific service provider network function includes the first Service Provider Network Functions;

The first access token does not include the network function type or network function set identifier of the service provider network function;

The first access token includes the instance identifier of the first service provider network function.
A communication device, characterized in that the communication device is a service consumer network function, and the service consumer network function includes: a processing unit, a transceiver unit;

The processing unit is configured to send a first request message to the network warehouse function through the transceiver unit according to the first information, the first request message includes the second information and the service name of the first service, and the first request message includes the second information and the service name of the first service. The request message is used to request to obtain an access token, and the access token is used for an authorization check when the service consumer network function accesses the first service;

The transceiver unit is configured to receive a first response message from the network warehouse function.
The communications device of claim 24, wherein:

The first information is used to indicate that the service consumer network function supports the hypertext transfer protocol HTTP redirection feature, and/or the first service supports the HTTP redirection feature, and/or provides the service of the first service The provider network function supports the HTTP redirection feature; or

The first information includes a first indication and/or an instance identifier of the network function of the second service provider, and the first indication is used to indicate that service access authorization fails or HTTP redirects or obtains an access token or has other available services Provider Network Features; or

The first information includes instance identifications of a plurality of service provider network functions; the service provider network functions provide the first service; or

The first information is used to instruct the service consumer network function to use the service communication proxy to communicate with the service provider network function.
The communication device according to claim 25, wherein the processing unit is further configured to:

According to the first information, before sending the first request message to the network warehouse function by the transceiver unit, the first information is received by the transceiver unit.
The communication device according to claim 26, wherein the transceiver unit is specifically used for:

The first information sent from the network warehouse function or service communication agent or the first service provider network function is received.
The communication device according to any one of claims 24-27, wherein the second information includes:

the network function type of the service provider network function requested by said service consumer network function; or

the network function set identification of the service provider network function requested by said service consumer network function; or

Instance identification of the second service provider network function; or

Instance identifications of a plurality of service provider network functions that provide the first service.
The communication device according to any one of claims 24-28, wherein the first response message includes any of the following:

a first access token comprising a network function type of a service provider network function, and/or a network function set identifier of a service provider network function; or

a second access token comprising instance identifications of a plurality of service provider network functions; or

a plurality of third access tokens, each of which respectively includes an instance identifier of a service provider network function; or

A fourth access token, the fourth access token including the instance identifier of the second service provider network function.
The communication device according to claim 29, wherein the transceiver unit is also used for:

after receiving a first response message from said network warehouse function, sending a second request message to a first service provider network function or a second service provider network function or a service communication agent, said second request message being used to request a service , the second request message includes the first access token or the second access token or the third access token or the fourth access token.
The communication device according to any one of claims 24-30, wherein the processing unit is further configured to:

According to the first information, before sending the first request message to the network warehouse function through the sending and receiving unit, sending a third request message to the first service provider network function or service communication agent through the sending and receiving unit, The third service request message is used to request the first service.
The communication device according to any one of claims 24-31, wherein the processing unit is further configured to:

According to the first information, before sending the first request message to the network warehouse function through the transceiver unit, send a fourth request message to the network warehouse function through the transceiver unit, the fourth request message includes the service name of the first service, and the fourth request message is used to request to discover the first service or to discover a network function instance that can provide the first service.
A communication device, characterized in that the communication device is a service communication agent, and the service communication agent includes: a processing unit, a transceiver unit;

The transceiver unit is used for:

receiving a first request message for a service consumer web function, the first request message including a first access token;

according to the control of the processing unit, sending a second request message to the first service provider network function, the second request message including the first access token;

receiving a second response message from the first service provider network function, the second response message including information of the second service provider network function and a redirection status code, the redirection status code being used to indicate that the service Access authorization failure or Hypertext Transfer Protocol HTTP redirection or obtaining an access token or other service provider network functionality available;

According to the control of the processing unit, a first response message is sent to the service consumer network function, where the first response message is used for the consumer network function to request to acquire a second access token.
The communication device according to claim 33, wherein the first response message includes first information, and the first information includes the first indication and/or the instance identifier of the network function of the second service provider;

Wherein, the first indication is used to indicate that HTTP redirection has occurred, or used to indicate that the access consumer network function obtains an access token, or service access authorization fails, or there are other available service provider network functions.
The communication device according to claim 33 or 34, wherein the processing unit is configured to:

Before the sending and receiving unit sends a first response message to the service consumer network function, it is determined that a first condition is satisfied; wherein the first condition includes at least one of the following conditions:

The first access token does not include the instance identifier of the second service provider network function;

said first access token cannot be used to authorize services accessing said second service provider network functionality;

The first access token can only be used to access a specific service provider network function instance or can only be used to access the services of the first service provider network function, and the specific service provider network function includes the first Service Provider Network Functions;

The first access token does not include the network function type or network function set identifier of the service provider network function;

The first access token includes the instance identifier of the first service provider network function.
The communication device according to claim 35, wherein the processing unit is further configured to:

If the first condition is not satisfied, a third request message is sent to the second service provider network function through the transceiving unit, where the third request message includes the first access token.
The communication device according to any one of claims 33-36, wherein the transceiver unit is further configured to:

After sending the first response message to the service consumer network function, receiving a fourth request message sent by the service consumer network function, the fourth request message including the second access token; The second service provider network function sends a fifth request message, where the fifth request message includes the second access token.
The communication device according to any one of claims 33-37, wherein the second access token includes the instance identifier of the second service provider network function or the network function of the service provider network function Type, or network function set identifier of the service provider network function.
A communication device, characterized in that it includes: one or more processors; one or more memories; wherein, the one or more memories store one or more computer programs, and the one or more computer programs Including instructions, when the instructions are executed by the one or more processors, the communication device performs the method according to any one of claims 1-9, or performs the method according to any one of claims 10-15. one of the methods described.
A communication system, characterized by comprising a service consumer network function and a network warehouse function, the service consumer network function is used to execute the method according to any one of claims 1-9.
A communication system, characterized by comprising a service consumer network function, a service provider network function and a service communication agent; the service communication agent is used to execute the method according to any one of claims 10-15.
A computer-readable storage medium, characterized in that the computer-readable storage medium includes a computer program, and when the computer program is run on a computing device, the computing device is made to execute the computer program described in any one of claims 1-9. method, or perform the method as described in any one of claims 10-15.
A chip, characterized in that the chip is coupled with a memory for reading and executing program instructions stored in the memory, so as to realize the method according to any one of claims 1-9, or to realize the method described in any one of claims 1-9 The method of any one of claims 10-15.
A computer program product, characterized in that, when the computer program product is invoked by a computer, the computer executes the method according to any one of claims 1-9, or executes the method according to any one of claims 10-15. one of the methods described.