WO2023031037A1 - Network function service authorization in a wireless communication network - Google Patents

Abstract

Network equipment (600), configured as a proxy (60) in a first wireless communication network (10), receives, from a second wireless communication network (20), a request (50) for a network function, NF, service producer (30) in the first wireless communication network (10) to provide a service to an NF service consumer (40) in the second wireless communication network (20). The request (50) does not include an access token indicating authorization to consume the service from the NF service producer (30). The network equipment (600) obtains, on behalf of the NF service consumer (40), an access token (70) from a network repository function, NRF, (80) in the first wireless communication network (10). The obtained access token (70) indicates authorization to consume the service from the NF service producer (30). The network equipment (600) then transmits, towards the NF service producer (30), the received request (50) along with the obtained access token (70).

Description

NETWORK FUNCTION SERVICE AUTHORIZATION IN A WIRELESS COMMUNICATION

NETWORK

TECHNICAL FIELD

The present application relates generally to consumption of a service in a wireless communication network, and more particularly relates to authorization for such consumption.

BACKGROUND

The next generation (5G) core network (CN) uses a service-based architecture that leverages service-based interactions between CN network functions (NFs). NFs in this regard enable other authorized NFs to access their services. Alternatively or in addition to predefined interfaces being defined between NFs, an instance of an NF needing to consume a service of a certain type queries a so-called network repository function (NRF) to discover and communicate with an instance of another NF that provides that certain type of service.

In particular, NFs can take on a provider role as a provider of a service (NFp) and/or a consumer role as a consumer of a service (NFc). An instance of an NFp starts and registers itself to the NRF. This registration allows the NRF to be aware that the instance of the NFp exists. At a later point, an instance of an NFc that needs to use a specific service runs a procedure called discovery towards the NRF. In case the NRF has a registered instance of the NFp that matches this discovery request, the NRF provides the instance of the NFc with information needed to set up communication with a discovered instance of the NFp. This information may be for example the Internet Protocol (IP) address and port of the NFp instance.

The service-based architecture advantageously enables greater flexibility and speed in the development of new CN services, as it becomes possible to connect to other components without introducing new interfaces. The service-based architecture also introduces the possibility to use application programming interfaces (APIs) based on web technology that makes development easier, as libraries and development tools for such technology are already broadly available. The service-based architecture nonetheless introduces security challenges in a roaming scenario where the NFc is in a different network than the NFp. Challenges exist, for example, in ensuring that an NFc in the serving network is authorized to consume a service of an NFp in the home network, especially in a way that accommodates for the possibility that the serving and home networks might use different authorization frameworks.

SUMMARY

Some embodiments herein provide network function (NF) service authorization in a way that advantageously accommodates for different wireless communication networks using different authorization frameworks. According to some embodiments, a proxy obtains an access token (e.g., according to an OAuth 2.0 framework) on behalf of an NF service consumer and supplements the NF service consumer’s service request with the obtained access token. This way, even if the NF service consumer’s service request lacks an access token, as may be the case if the NF service consumer generated that service request according to a different authorization framework (e.g., a static authorization framework), authorization of the service request can still proceed on the basis of the access token that the proxy obtained on behalf of the NF service consumer.

More particularly, embodiments herein include a method performed by network equipment configured as a proxy in a first wireless communication network. The method comprises receiving, from a second wireless communication network, a request for a network function (NF) service producer in the first wireless communication network to provide a service to an NF service consumer in the second wireless communication network. The request does not include an access token indicating authorization to consume the service from the NF service producer. The method further comprises obtaining, on behalf of the NF service consumer, an access token from a network repository function (NRF) in the first wireless communication network. The obtained access token indicates authorization to consume the service from the NF service producer. The method then comprise transmitiung, towards the NF service producer, the received request along with the obtained access token.

In some embodiments, obtaining the access token comprises transmitting a request for the access token to the NRF in the first wireless communication network. The request for the access token includes a field that indicates the request for the access token originated from the proxy and/or is on behalf of the NF service consumer. In this case, obtaining the access token further comprises, responsive to the request, receiving the access token from the network repository function. In some embodiments, the proxy is a security edge protection proxy, SEPP, and the field is a setBySepp field whose value is set to true to indicate the request for the access token originated from the SEPP. In some embodiments, the request for the access token includes a list of one or more target wireless communication networks related to the NF service producer.

In some embodiments, the method further comprises determining whether or not to obtain the access token on behalf of the NF service consumer. Said obtaining is performed in response to determining to obtain the access token. In this case, said determining comprises deciding whether or not to obtain the access token on behalf of the NF service consumer, based on an identity of the second wireless communication network, a type of the NF service consumer, and/or a type of the NF service producer.

In some embodiments, the access token is issued to the proxy. Alternatively or additionally in other embodiments, the proxy is a subject of the access token.

In some embodiments, the access token is issued to another proxy in the second wireless communication network and/or wherein the other proxy in the second wireless communication network is a subject of the access token. Alternatively in other embodiments, the access token is issued to the NF service consumer and/or wherein the NF service consumer is a subject of the access token.

In some embodiments, the method further comprises inserting the obtained access token into the received request, and said transmitting comprises transmitting the received request, with the obtained access token included therein, towards the NF service producer.

In some embodiments, the proxy is a security edge protection proxy, SEPP, and the request is received from a security edge protection proxy in the second wireless communication network.

In some embodiments, the first wireless communication network requires OAuth 2.0 based authorization of NF service access. In some embodiments, the access token is an OAuth 2.0 access token. In some embodiments, the second wireless communication network does not require OAuth 2.0 based authorization of NF service access. Alternatively or additionally, NF service access in the second wireless communication network is based on static authorization.

In some embodiments, the obtained access token is a JavaScript Object Notation, JSON, Web Token. Alternatively or additionally, the obtained access token is secured with one or more digital signatures or Message Authentication Code(s) based on a JSON Web Signature.

Other embodiments herein include a method performed by network equipment configured to implement a network repository function in a first wireless communication network. The method comprises receiving, from a proxy in the first wireless communication network, a request for an access token that indicates authorization to consume a service from a network function, NF, service producer in the first wireless communication network. The request for the access token indicates the request for the access token originated from the proxy and/or is on behalf of an NF service consumer in a second wireless communication network. In this case, the method further comprises, responsive to the request, transmitting the requested access token to the proxy.

In some embodiments, the request for the access token includes a field that indicates the request for the access token originated from the proxy and/or is on behalf of the NF service consumer. In some embodiments, the proxy is a security edge protection proxy, SEPP, and the field is a setBySepp field whose value is set to true to indicate the request for the access token originated from the SEPP.

In some embodiments, the request for the access token includes a list of one or more target wireless communication networks related to the NF service producer.

In some embodiments, the method further comprises receiving, from the proxy, an NF service discovery request and transmitting an NF service discovery response that indicates whether or not the proxy is to request the access token from the network repository function.

In some embodiments, the access token is issued to the proxy and/or wherein the proxy is a subject of the access token. In some embodiments, the access token is issued to another proxy in the second wireless communication network and/or wherein the other proxy in the second wireless communication network is a subject of the access token. Alternatively, the access token is issued to the NF service consumer and/or wherein the NF service consumer is a subject of the access token.

In some embodiments, the proxy is a security edge protection proxy, SEPP.

In some embodiments, the first wireless communication network requires OAuth 2.0 based authorization of NF service access. In some embodiments, the access token is an OAuth 2.0 access token. In some embodiments, the second wireless communication network does not require OAuth 2.0 based authorization of NF service access. Alternatively or additionally, NF service access in the second wireless communication network is based on static authorization.

In some embodiments, the access token is a JavaScript Object Notation, JSON, Web Token. Alternatively or additionally, the access token is secured with one or more digital signatures or Message Authentication Code(s) based on a JSON Web Signature.

In some embodiments, the method further comprises verifying the proxy. In other embodiments, the method alternatively or additionally comprises bypassing a check of information associated with the NF service consumer.

In some embodiments, the method further comprises refraining from verifying that input parameters in the request match with corresponding ones in a public key certificate of the NF service consumer or those in an NF profile of the NF service consumer. In other embodiments, the method alternatively or additionally comprises refraining from checking whether the NF service consumer is authorized to access the service.

Other embodiments herein include a method performed by network equipment configured to provide a service as a network function, NF, service producer in a first wireless communication network. The method comprises receiving, from a proxy in the first wireless communication network, a request for the service producer in the first wireless communication network to provide a service to an NF service consumer in a second wireless communication network. The request includes an access token indicating authorization to consume the service from the NF service producer. In this case, the method further comprises verifying an integrity of the access token and/or claims in the access token, based on the access token having been obtained by the proxy on behalf of the NF service consumer and/or based on a request for the access token having originated from the proxy. In this case, the method further comprises responding to the request in dependence on said verifying.

In some embodiments, the proxy is a security edge protection proxy, SEPP, and said verifying is based on SEPP being an allowed value for an nfType field in the request and/or in the access token.

In some embodiments, the access token is issued to the proxy. Alternatively or additionally in other embodiments, the proxy is a subject of the access token. In some embodiments, the access token is issued to another proxy in the second wireless communication network and/or wherein the other proxy in the second wireless communication network is a subject of the access token. In other embodiments, the access token is issued to the NF service consumer and/or wherein the NF service consumer is a subject of the access token.

In some embodiments, the proxy is a security edge protection proxy, SEPP.

In some embodiments, the first wireless communication network requires OAuth 2.0 based authorization of NF service access. The access token is an OAuth 2.0 access token. In some embodiments, the second wireless communication network does not require OAuth 2.0 based authorization of NF service access. Alternatively or additionally in other embodiments, NF service access in the second wireless communication network is based on static authorization.

In some embodiments, the access token is a JavaScript Object Notation, JSON, Web Token. In other embodiments, the access token alternatively or additionally is secured with one or more digital signatures or Message Authentication Code(s) based on a JSON Web Signature.

Other embodiments herein include network equipment configured as a proxy in a first wireless communication network. The network equipment comprises communication circuitry and processing circuitry. The processing circuitry is configured to receive, from a second wireless communication network, a request for a network function, NF, service producer in the first wireless communication network to provide a service to an NF service consumer in the second wireless communication network. The request does not include an access token indicating authorization to consume the service from the NF service producer. In this case, the processing circuitry is further configured to obtain, on behalf of the NF service consumer, an access token from a network repository function, NRF, in the first wireless communication network. The obtained access token indicates authorization to consume the service from the NF service producer. In this case, the processing circuitry is further configured to transmit, towards the NF service producer, the received request along with the obtained access token.

In some embodiments, the processing circuitry is configured to perform the steps described above for network equipment configured as a proxy in a first wireless communication network.

Other embodiments herein include network equipment configured to implement a network repository function in a first wireless communication network. The network equipment comprises communication circuitry and processing circuitry. The processing circuitry is configured to receive, from a proxy in the first wireless communication network, a request for an access token that indicates authorization to consume a service from a network function, NF, service producer in the first wireless communication network. The request for the access token indicates the request for the access token originated from the proxy and/or is on behalf of an NF service consumer in a second wireless communication network. In this case, the processing circuitry is further configured to, responsive to the request, transmit the requested access token to the proxy.

In some embodiments, the processing circuitry is configured to perform the steps described above for network equipment configured to implement a network repository function in a first wireless communication network.

Other embodiments herein include network equipment configured to provide a service as a network function, NF, service producer in a first wireless communication network. The network equipment comprises communication circuitry and processing circuitry. The processing circuitry is configured to receive, from a proxy in the first wireless communication network, a request for the service producer in the first wireless communication network to provide a service to an NF service consumer in a second wireless communication network. The request includes an access token indicating authorization to consume the service from the NF service producer. In this case, the processing circuitry is further configured to verify an integrity of the access token and/or claims in the access token, based on the access token having been obtained by the proxy on behalf of the NF service consumer and/or based on a request for the access token having originated from the proxy. In this case, the processing circuitry is further configured to respond to the request in dependence on said verifying.

In some embodiments, the processing circuitry is configured to perform the steps described above for network equipment configured to provide a service as a network function, NF, service producer in a first wireless communication network.

Other embodiments herein include a computer program comprising instructions which, when executed by at least one processor of network equipment, causes the network equipment to perform the steps described above for network equipment configured as a proxy in a first wireless communication network.

In some embodiments, a carrier containing the computer program is one of an electronic signal, optical signal, radio signal, or computer readable storage medium.

Of course, the present disclosure is not limited to the above features and advantages. Indeed, those skilled in the art will recognize additional features and advantages upon reading the following detailed description, and upon viewing the accompanying drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

Figure 1 is a block diagram of first and second wireless communication networks according to some embodiments.

Figure 2 is a call flow diagram of NF service authorization according to some embodiments.

Figure 3 is a logic flow diagram of a method performed by network equipment configured as a proxy in a first wireless communication network according to some embodiments. Figure 4 is a logic flow diagram of a method performed by network equipment configured to implement a network repository function in a first wireless communication network according to some embodiments.

Figure 5 is a logic flow diagram of a method performed by network equipment configured to provide a service as a network function, NF, service producer in a first wireless communication network according to some embodiments.

Figure 6 is a block diagram of network equipment configured to implement a proxy, a network repository function, or an NF service producer in a first wireless communication network according to some embodiments.

Figure 7 is a block diagram of a wireless communication network, in the form of a communication system, in accordance with some embodiments.

Figure 8 is a block diagram of a user equipment according to some embodiments.

Figure 9 is a block diagram of a network node according to some embodiments.

Figure 10 is a block diagram of a host according to some embodiments.

Figure 11 is a block diagram illustrating a virtualization environment in which functions implemented by some embodiments may be virtualized.

DETAILED DESCRIPTION

Figure 1 shows a first wireless communication network 10 and a second wireless communication network 20 according to some embodiments. The first wireless communication network 10 may for example be a home network of a wireless communication device or subscriber (not shown), whereas the second wireless communication network 20 may be a serving or visited network of the wireless communication device or subscriber.

The first and second wireless communication networks 10, 20 in some embodiments each have a service-based architecture that leverages service-based interactions between network functions (NFs). Each NF may be implemented by network equipment either as a network element on dedicated hardware, as a software instance running on dedicated hardware, or as a virtualized function instantiated on an appropriate platform, e.g., on a cloud infrastructure. In a 5G network, for instance, NFs in the control plane may include an access and mobility management function (AMF), a session management function (SMF), a policy control function (PCF), an authentication server function (AUSF), a unified data management (UDM) function, etc.

An NF may provide its services to other authorized NFs that consume those services. An NF may thereby take on a producer role as a provider of a service (NF service producer) and/or a consumer role as a consumer of a service (NF service consumer).

In the example of Figure 1 , NFp 30 in the first wireless communication network 10 operates as an NF service producer to provide a service and NFc 40 in the second wireless communication network 20 operates as an NF service consumer to consume that service. In order for NFc 40 to consume the service from NFo 30. NFc 40 transmits a service request 50 towards NFp 30, requesting that NFp 30 provide the service to NFc 40. NFp 30 is to provide the service as requested, but only if NFc 40 is authorized to consume that service from NFp 30.

According to some embodiments in this regard, though, the first and second wireless communication networks 10, 20 authorize NF service requests according to different authorization frameworks. For example, in one embodiment, the first wireless communication network 10 requires access token based authorization (e.g., OAuth 2.0 based authorization) for NF service access, whereas the second wireless communication network 10 does not require access token based authorization for NF service access. In fact, in some embodiments, NF service access in the second wireless communication network 10 is based on static authorization. Such static authorization may be based on a local authorization policy in the second wireless communication network 10, e.g., such that which NF service consumers are authorized to consume which services from which NF service producers is statically memorialized in a database or table in the second wireless communication network 10.

In these and other embodiments, then, the NFp 30 may be configured to verify whether the NFc 40 is authorized to consume the service based on whether NFc 40 provides a valid access token, e.g., indicating authorization to consume the service. Yet, since the second wireless communication network 20 may not use token based authorization for NF service access, the NFc 40 may not include any access token in its service request 50 to the NFp 30.

Some embodiments herein provide NF service authorization in a way that advantageously accommodates for this scenario where the first and second wireless communication networks 10, 20 use different authorization frameworks. According to some embodiments, a proxy 60 in the first wireless communication network 10 obtains an access token 70 on behalf of the NFc 40 and supplements NFc’s service request 50 with the obtained access token 70. This way, even if the NFc’s service request 50 lacks an access token, as may be the case if the NFc 40 generated that service request 50 according to a different authorization framework (e.g., a static authorization framework), authorization of the service request 50 can still proceed on the basis of the access token 70 that the proxy 60 obtained on behalf of the NFc 40.

More particularly, according to some embodiments, the proxy 60 in the first wireless communication network 10 receives a request 50 for NFp 30 to provide a service to NFc 40 in the second wireless communication network 20. The proxy 60 may for example receive the request 50 from the second wireless communication network 20, e.g., from another proxy 90 in the second wireless communication network 20. In any event, the request 50 does not include an access token indicating authorization to consume the service from the NFp 30, e.g., because the second wireless communication network 20 uses static authorization for NF service requests.

According to embodiments herein, then, the proxy 60 obtains an access token 70 on behalf of the NFc 40. The access token 70 indicates authorization to consume the service from the NFp 30, e.g., according to the OAuth 2.0 authorization framework. In some embodiments, that the proxy 60 obtains the access token 70 on behalf of the NFc 40 means the proxy 60 obtains the access token 70 in or for the interest of the NFc 40, e.g., for authorization of the NFc 40 to consume the NFp’s service, as opposed to for authorization of the proxy 60 itself. In one or more embodiments, for instance, the access token 70 may be issued to the proxy 60 and/or the proxy 60 may be the subject of the access token 70, yet the proxy 60 uses the access token 70 for authorizing the NFc 40 to consume the service from the NFp 30. Alternatively or additionally, that the proxy 60 obtains the access token 70 on behalf of the NFc 40 means that the proxy 60 obtains the access token 70 as a representative of the NFc 40. In one or more other embodiments, for instance, at the proxy’s request, the access token 70 is issued to the NFc 40 and/or the NFc 40 is the subject of the access token 70.

The proxy 60 may for example obtain the access token 70 by receiving the access token 70 from a network repository function (NRF) 80 in the first wireless communication network 10, e.g., in response to a request 75 for the access token 70. In this case, the request 75 for the access token 70 may include a field that indicates the request 75 for the access token 70 originated from the proxy 60 and/or is on behalf of the NFc 40. The field may for instance be a setBySepp field or an nfType field, as elaborated on more fully later herein. Regardless, based on the request 75 including such a field, the NRF 80 may verify the proxy 60 and/or bypass a check of information associated with the NFc 40. The NRF 80 may for example refrain from verifying that input parameters in the request 75 match with corresponding ones in a public key certificate of the NFc 40 or those in an NF profile of the NFc 40. Alternatively or additionally, the NRF 80 may refrain from checking whether the NFc 40 is authorized to access the service.

In some embodiments, the proxy 60 obtains the access token 70 responsive to identifying that the service request 50 lacks any access token for authorizing the service request according to the authorization framework used by the first wireless communication network 10. In this case, then, the proxy obtains the access token 70 after having received the service request 50. In other embodiments, by contrast, the proxy 60 obtains the access token 70 proactively in advance of receiving the service request 50. In this case, for instance, the proxy 60 may obtain the access token 70 in anticipation of receiving such a service request 50, and store the access token 70 in memory for use once the proxy 60 actually receives the service request 50.

Regardless, having obtained the access token 70 on behalf of the NFc 40, the proxy 60 transmits the service request 50 towards the NFp 30, along with the access token 70. The proxy 60 may for example insert or otherwise include the access token 70 in the service request 50 before forwarding the service request 50 towards the NFp 30.

The NFp 30 may then verify the integrity of the access token 70 and/or claims in the access token 70, based on the access token 70 having been obtained by the proxy 60 on behalf of the NFc 40 and/or based on the request 75 for the access token 70 having originated from the proxy 60. Figure 2 illustrates one example where the first wireless communication network 10 is exemplified as a home Public Land Mobile Network (PLMN), the second wireless communication network 20 is exemplified as a serving PLMN, the NFc 40 is exemplified as an NF Service Consumer, the NFp 30 is exemplified as an NF Service Producer, the proxy 60 is exemplified as a provider security edge protection proxy (pSEPP), the proxy 90 is exemplified as a consumer SEPP (cSEPP), and NRF 80 is exemplified as a home NRF (hNRF). In Figure 2’s example, the serving PLMN implements static authorization and the home PLMN implements OAuth 2.0 authorization. The access token 70 in Figure 2 is therefore exemplified as an OAuth 2.0 access token, e.g., a JavaScript Object Notation, JSON, Web Token. The access token may for instance be secured with one or more digital signatures or Message Authentication Code(s) based on a JSON Web Signature.

More particularly, with reference to the steps in Figure 2:

Step 1 . As static authorization is used at the serving network, the NF Service Consumer sends a service/subscription request (without an access token) to the cSEPP in the serving PLMN.

Step 2. The cSEPP forwards the service/subscription request (without an access token) to the pSEPP in the home PLMN.

The pSEPP then checks if OAuth2 is required.

In one alternative, the pSEPP checks if OAuth2 is required by local configuration. By local configuration, the pSEPP may know that OAuth2.0 is required.

In another alternative, the pSEPP checks if OAuth2 is required by checking with the hNRF. Steps 3-4 show this alternative:

Step 3. pSEPP sends an NF service discovery request to the hNRF.

Step 4. The hNRF sends an NF service discovery response to the pSEPP. From the NRF response, the pSEPP knows that OAuth2.0 is required by the NFp.

Step 5. Based on determining that OAuth2 is required, the pSEPP sends an Access token request to the hNRF. The hNRF authenticates the pSEPP. The hNRF determines that the access token request is originated by a SEPP and bypasses the NFc info check.

Step 6. The hNRF sends an Access token response to the pSEPP with a granted Access token claim.

Step 7. The pSEPP inserts the access token in the service/subscription request and sends the request to the NFp. The pSEPP may store the access token for future re-use.

The NFp authenticates the pSEPP. The NFp verifies the access token.

Step 8. If authorization is okay, the NFp sends a service/subscription response to the pSEPP.

Step 9. The pSEPP forwards the service/subscription response to the cSEPP.

Step 10. The cSEPP forwards the service/subscription response to the NFc. In some embodiments, the hNRF learns that the access token request has originated from a SEPP based on a new information element (IE) (for example, setBySepp is set as True). In other embodiments, the hNRF learns that the access token request has originated from a SEPP based on an existing IE (for example, nfType is set as “SEPP”). Based on local policy configuration, the hNRF issues the access token.

In some embodiments, local policy configuration in the pSEPP can be used to enable or disable the originating access token request on behalf of the NFc. The enabling or disabling can be controlled in a more flexible way, e.g., per consumer PLMN or per consumer PLMN ID, which depends on the roaming agreement.

It is also possible that the pSEPP is configured with NF types that are allowed to be accessible per serving PLMN in policy. Additionally, as the allowed NF types are preconfigured, the pSEPP in some embodiments may pre-acquire the access token per allowed NF type (with long expiry) for future use.

In some embodiments, the pSEPP at the home PLMN may originate the AccessTokenReq on behalf of the NFc with the below lEs:

NOTE: targetPImnList is an example of the new IE to provide target PLMN information when there is more than one PLMN ID related to the target NFp. setBySepp is an example of the new IE to indicate that the AccessTokenReq is originated from a SEPP and used by NRF/NFp for relevant special handling.

In some embodiments, the hNRF at the home PLMN grants the AccessTokenClaims with the below lEs:

As the example in Figure 2 demonstrates, some embodiments herein concern a roaming scenario where the serving PLMN (vPLMN) uses static Authorization and the home PLMN uses OAuth 2.0. These embodiments may be applicable both in the case of direct communication and indirect communication. Either way, the HPLM expects to get an access token from the serving PLMN, but the serving PLMN is not providing this. Some embodiments herein expand the functionality of the current pSEPP and hNRF to handle the access token on behalf of the NFc, and expand the functionality of the SEPP in HPLMN.

In some embodiments, there is an agreement about the authorization requirement and support between the two PLMNs. To be able to interoperate when the serving PLMN uses static authorization and home PLMN uses OAuth2.0 authorization framework, it shall be agreed for example that the NFp at the hPLMN shall grant service level access for an NFc at the vPLMN, based on the access token requested by the pSEPP, and that the pSEPP shall have direct access to the hNRF.

Some embodiments are based on one or more of the following new functionalities: (i) the pSEPP will check if OAuth 2.0 is required, either by local configuration or checking with the hNRF; (ii) the pSEPP will request an access token on behalf of the NFc; (iii) the pSEPP will insert an access token in the service/subscription request; (iv) the hNRF will verify the pSEPP and bypass the NFc check; (v) the NFp will add the SEPP as an allowed NF type.

Certain embodiments may provide one or more of the following technical advantage(s). Some embodiments enable an important interworking use case not addressed by existing solutions. Some embodiments will not force the serving PLMN to change from static authorization, and yet the security can be maintained. Some embodiments only require technical changes in the HPLMN, in pSEPP/SCP, and hNRF. Here, SCP stands for Service Communication Proxy.

In view of the modifications and variations herein, Figure 3 depicts a method performed by network equipment 600 configured as a proxy 60 in a first wireless communication network 10. The method comprises receiving, from a second wireless communication network 20, a request 50 for a network function, NF, service producer 30 in the first wireless communication network 10 to provide a service to an NF service consumer 40 in the second wireless communication network 20 (Block 300). The request 50 does not include an access token indicating authorization to consume the service from the NF service producer 30.

The method further comprises obtaining, on behalf of the NF service consumer 40, an access token 70, e.g., from a network repository function, NRF, 80 in the first wireless communication network 10 (Block 310). The obtained access token 70 indicates authorization to consume the service from the NF service producer 30.

The method may also comprise transmitting, towards the NF service producer 30, the received request 50 along with the obtained access token 70 (Block 320).

In some embodiments, obtaining the access token 70 comprises transmitting a request 75 for the access token 70 to the NRF 80 in the first wireless communication network 10, where the request 75 for the access token 70 indicates the request 75 for the access token 70 originated from the proxy 60 and/or is on behalf of the NF service consumer 40. Obtaining the access token 70 may further comprise, responsive to the request 75, receiving the access token 70 from the network repository function 80.

In some embodiments, the request 75 for the access token 70 includes a field that indicates the request for the access token originated from the proxy 60 and/or is on behalf of the NF service consumer 40. For example, in one embodiment where the proxy 60 is a security edge protection proxy, SEPP, the field is a setBySepp field whose value is set to true to indicate the request 75 for the access token 70 originated from the SEPP. In another embodiment, the field is an nfType field. Regardless, in some embodiments, the request 75 for the access token 70 includes a list of one or more target wireless communication networks related to the NF service producer 30.

In some embodiments, the access token 70 is obtained in response to receiving the request 50 from the second wireless communication network 20. In other embodiments, the access token 70 is obtained before receiving the request 50 from the second wireless communication network 20.

In some embodiments, the method further comprises determining whether or not to obtain the access token 70 on behalf of the NF service consumer 40, where obtaining the access token 70 is performed in response to determining to obtain the access token 70. In one embodiment, for example, said determining comprises deciding whether or not to obtain the access token 70 on behalf of the NF service consumer, based on an identity of the second wireless communication network, a type of the NF service consumer, and/or a type of the NF service producer. Alternatively or additionally, the method may comprise transmitting, to the network repository function, an NF service discovery request and receiving an NF service discovery response from the network repository function, where said determining is based on the NF service discovery response.

In some embodiments, the access token 70 is issued to the proxy 60 and/or wherein the proxy 60 is a subject of the access token 70.

In some embodiments, the access token is issued to another proxy in the second wireless communication network and/or wherein the other proxy in the second wireless communication network is a subject of the access token. In other embodiments, the access token is issued to the NF service consumer and/or wherein the NF service consumer is a subject of the access token.

In some embodiments, the method further comprises storing the obtained access token; and using the stored access token for handing a subsequent request for the NF service producer to provide a service to the NF service consumer.

In some embodiments, the method further comprises inserting the obtained access token into the received request and wherein said transmitting comprises transmitting the received request, with the obtained access token included therein, towards the NF service producer.

In some embodiments, the proxy 60 is a security edge protection proxy, SEPP.

In some embodiments, the request 50 is received from a proxy in the second wireless communication network 20. For example, in one embodiment, the request is received from a security edge protection proxy in the second wireless communication network. In some embodiments, the first wireless communication network requires access token based authorization for NF service access and wherein the second wireless communication network does not require access token based authorization for NF service access.

In some embodiments, the first wireless communication network requires OAuth 2.0 based authorization of NF service access, and wherein the second wireless communication network does not require OAuth 2.0 based authorization of NF service access.

In some embodiments, wherein NF service access in the second wireless communication network is based on static authorization.

In some embodiments, the obtained access token is an OAuth 2.0 access token.

In some embodiments, the obtained access token is a JavaScript Object Notation, JSON, Web Token.

In some embodiments, the obtained access token is secured with one or more digital signatures or Message Authentication Code(s) based on a JSON Web Signature.

Figure 4 depicts a method performed by network equipment 600 configured to implement a network repository function 80 in a first wireless communication network 10. The method comprises receiving, from a proxy 60 in the first wireless communication network 10, a request 75 for an access token 70 that indicates authorization to consume a service from a network function, NF, service producer 30 in the first wireless communication network 30 (Block 400). The request 75 for the access token 70 indicates the request for the access token originated from the proxy and/or is on behalf of an NF service consumer in a second wireless communication network 20. The method also comprises, responsive to the request, transmitting the requested access token 70 to the proxy 60 (Block 420).

In some embodiments, the request for the access token includes a field that indicates the request for the access token originated from the proxy and/or is on behalf of the NF service consumer. In one embodiment, where the proxy is a security edge protection proxy, SEPP, the field is a setBySepp field whose value is set to true to indicate the request for the access token originated from the SEPP. In another embodiment, the field is an nfType field.

In some embodiments, the request for the access token includes a list of one or more target wireless communication networks related to the NF service producer.

In some embodiments, the method further comprises receiving, from the proxy, an NF service discovery request and transmitting an NF service discovery response that indicates whether or not the proxy is to request the access token from the network repository function.

In some embodiments, wherein the access token is issued to the proxy and/or wherein the proxy is a subject of the access token.

In some embodiments, the access token is issued to another proxy in the second wireless communication network and/or wherein the other proxy in the second wireless communication network is a subject of the access token. In other embodiments, the access token is issued to the NF service consumer and/or wherein the NF service consumer is a subject of the access token.

In some embodiments, the proxy is a security edge protection proxy, SEPP.

In some embodiments, the first wireless communication network requires access token based authorization for NF service access and wherein the second wireless communication network does not require access token based authorization for NF service access.

In some embodiments, the first wireless communication network requires OAuth 2.0 based authorization of NF service access, and wherein the second wireless communication network does not require OAuth 2.0 based authorization of NF service access.

In some embodiments, wherein NF service access in the second wireless communication network is based on static authorization.

In some embodiments, the obtained access token is an OAuth 2.0 access token.

In some embodiments, the obtained access token is a JavaScript Object Notation, JSON, Web Token.

In some embodiments, the obtained access token is secured with one or more digital signatures or Message Authentication Code(s) based on a JSON Web Signature.

In some embodiments, the method further comprises verifying the proxy and/or bypassing a check of information associated with the NF service consumer (Block 410).

In some embodiments, the method further comprises refraining from verifying that input parameters in the request match with corresponding ones in a public key certificate of the NF service consumer or those in an NF profile of the NF service consumer; and/or refraining from checking whether the NF service consumer is authorized to access the service.

Figure 5 depicts a method performed by network equipment 600 configured to provide a service as a network function, NF, service producer 30 in a first wireless communication network 10. The method comprises receiving, from a proxy 60 in the first wireless communication network 10, a request 50 for the NF service producer 30 in the first wireless communication network 10 to provide a service to an NF service consumer 40 in a second wireless communication network 10 (Block 500). The request 50 includes an access token 70 indicating authorization to consume the service from the NF service producer 30. The method also comprises verifying an integrity of the access token 70 and/or claims in the access token 70, based on the access token 70 having been obtained by the proxy 60 on behalf of the NF service consumer 40 and/or based on a request 75 for the access token 70 having originated from the proxy 60 (Block 510). The method also comprises responding to the request 50 in dependence on said verifying (Block 520).

In some embodiments, the proxy is a security edge protection proxy, SEPP, and said verifying is based on SEPP being an allowed value for an nfType field in the request and/or in the access token. In some embodiments, wherein the access token is issued to the proxy and/or wherein the proxy is a subject of the access token.

In some embodiments, the access token is issued to another proxy in the second wireless communication network and/or wherein the other proxy in the second wireless communication network is a subject of the access token. In other embodiments, the access token is issued to the NF service consumer and/or wherein the NF service consumer is a subject of the access token.

In some embodiments, the proxy is a security edge protection proxy, SEPP.

In some embodiments, the first wireless communication network requires access token based authorization for NF service access and wherein the second wireless communication network does not require access token based authorization for NF service access.

In some embodiments, the first wireless communication network requires OAuth 2.0 based authorization of NF service access, and wherein the second wireless communication network does not require OAuth 2.0 based authorization of NF service access.

In some embodiments, wherein NF service access in the second wireless communication network is based on static authorization.

In some embodiments, the obtained access token is an OAuth 2.0 access token.

In some embodiments, the obtained access token is a JavaScript Object Notation, JSON, Web Token.

In some embodiments, the obtained access token is secured with one or more digital signatures or Message Authentication Code(s) based on a JSON Web Signature.

Embodiments herein also include corresponding apparatuses. Embodiments herein for instance include network equipment 600 configured to perform any of the steps of any of the embodiments described above for the proxy 60, NRF 80, and/or NFp 30.

Embodiments also include network equipment 600 comprising processing circuitry and power supply circuitry. The processing circuitry is configured to perform any of the steps of any of the embodiments described above for the proxy 60, NRF 80, and/or NFp 30. The power supply circuitry is configured to supply power to the network equipment 600.

Embodiments further include network equipment 600 comprising processing circuitry. The processing circuitry is configured to perform any of the steps of any of the embodiments described above for the proxy 60, NRF 80, and/or NFp 30. In some embodiments, the network equipment 600 further comprises communication circuitry.

Embodiments further include network equipment 600 comprising processing circuitry and memory. The memory contains instructions executable by the processing circuitry whereby the network equipment 600 is configured to perform any of the steps of any of the embodiments described above for the proxy 60, NRF 80, and/or NFp 30.

More particularly, the apparatuses described above may perform the methods herein and any other processing by implementing any functional means, modules, units, or circuitry. In one embodiment, for example, the apparatuses comprise respective circuits or circuitry configured to perform the steps shown in the method figures. The circuits or circuitry in this regard may comprise circuits dedicated to performing certain functional processing and/or one or more microprocessors in conjunction with memory. For instance, the circuitry may include one or more microprocessor or microcontrollers, as well as other digital hardware, which may include digital signal processors (DSPs), special-purpose digital logic, and the like. The processing circuitry may be configured to execute program code stored in memory, which may include one or several types of memory such as read-only memory (ROM), random-access memory, cache memory, flash memory devices, optical storage devices, etc. Program code stored in memory may include program instructions for executing one or more telecommunications and/or data communications protocols as well as instructions for carrying out one or more of the techniques described herein, in several embodiments. In embodiments that employ memory, the memory stores program code that, when executed by the one or more processors, carries out the techniques described herein.

Figure 6 for example illustrates network equipment 600 as implemented in accordance with one or more embodiments. As shown, the network equipment 600 includes processing circuitry 610 and communication circuitry 620. The communication circuitry 620 is configured to transmit and/or receive information to and/or from one or more other nodes, e.g., via any communication technology. The processing circuitry 610 is configured to perform processing described above, e.g., in Figure 3, Figure 4, or Figure 5, such as by executing instructions stored in memory 630. The processing circuitry 610 in this regard may implement certain functional means, units, or modules.

Those skilled in the art will also appreciate that embodiments herein further include corresponding computer programs.

A computer program comprises instructions which, when executed on at least one processor of network equipment 600, cause the network equipment 600 to carry out any of the respective processing described above. A computer program in this regard may comprise one or more code modules corresponding to the means or units described above.

Embodiments further include a carrier containing such a computer program. This carrier may comprise one of an electronic signal, optical signal, radio signal, or computer readable storage medium.

In this regard, embodiments herein also include a computer program product stored on a non-transitory computer readable (storage or recording) medium and comprising instructions that, when executed by a processor of network equipment 600, cause the network equipment 600 to perform as described above.

Embodiments further include a computer program product comprising program code portions for performing the steps of any of the embodiments herein when the computer program product is executed by network equipment 600. This computer program product may be stored on a computer readable recording medium.

Figure 7 shows an example of a communication system 700 in accordance with some embodiments.

In the example, the communication system 700 includes a telecommunication network 702 that includes an access network 704, such as a radio access network (RAN), and a core network 706, which includes one or more core network nodes 708. The access network 704 includes one or more access network nodes, such as network nodes 710a and 710b (one or more of which may be generally referred to as network nodes 710), or any other similar 3^rd Generation Partnership Project (3GPP) access node or non-3GPP access point. The network nodes 710 facilitate direct or indirect connection of user equipment (UE), such as by connecting UEs 712a, 712b, 712c, and 712d (one or more of which may be generally referred to as UEs 712) to the core network 706 over one or more wireless connections.

Example wireless communications over a wireless connection include transmitting and/or receiving wireless signals using electromagnetic waves, radio waves, infrared waves, and/or other types of signals suitable for conveying information without the use of wires, cables, or other material conductors. Moreover, in different embodiments, the communication system 700 may include any number of wired or wireless networks, network nodes, UEs, and/or any other components or systems that may facilitate or participate in the communication of data and/or signals whether via wired or wireless connections. The communication system 700 may include and/or interface with any type of communication, telecommunication, data, cellular, radio network, and/or other similar type of system.

The UEs 712 may be any of a wide variety of communication devices, including wireless devices arranged, configured, and/or operable to communicate wirelessly with the network nodes 710 and other communication devices. Similarly, the network nodes 710 are arranged, capable, configured, and/or operable to communicate directly or indirectly with the UEs 712 and/or with other network nodes or equipment in the telecommunication network 702 to enable and/or provide network access, such as wireless network access, and/or to perform other functions, such as administration in the telecommunication network 702.

In the depicted example, the core network 706 connects the network nodes 710 to one or more hosts, such as host 716. These connections may be direct or indirect via one or more intermediary networks or devices. In other examples, network nodes may be directly coupled to hosts. The core network 706 includes one more core network nodes (e.g., core network node 708) that are structured with hardware and software components. Features of these components may be substantially similar to those described with respect to the UEs, network nodes, and/or hosts, such that the descriptions thereof are generally applicable to the corresponding components of the core network node 708. Example core network nodes include functions of one or more of a Mobile Switching Center (MSC), Mobility Management Entity (MME), Home Subscriber Server (HSS), Access and Mobility Management Function (AMF), Session Management Function (SMF), Authentication Server Function (AUSF), Subscription Identifier De-concealing function (SIDF), Unified Data Management (UDM), Security Edge Protection Proxy (SEPP), Network Exposure Function (NEF), and/or a User Plane Function (UPF).

The host 716 may be under the ownership or control of a service provider other than an operator or provider of the access network 704 and/or the telecommunication network 702, and may be operated by the service provider or on behalf of the service provider. The host 716 may host a variety of applications to provide one or more service. Examples of such applications include live and pre-recorded audio/video content, data collection services such as retrieving and compiling data on various ambient conditions detected by a plurality of UEs, analytics functionality, social media, functions for controlling or otherwise interacting with remote devices, functions for an alarm and surveillance center, or any other such function performed by a server.

As a whole, the communication system 700 of Figure 7 enables connectivity between the UEs, network nodes, and hosts. In that sense, the communication system may be configured to operate according to predefined rules or procedures, such as specific standards that include, but are not limited to: Global System for Mobile Communications (GSM); Universal Mobile Telecommunications System (UMTS); Long Term Evolution (LTE), and/or other suitable 2G, 3G, 4G, 5G standards, or any applicable future generation standard (e.g., 6G); wireless local area network (WLAN) standards, such as the Institute of Electrical and Electronics Engineers (IEEE) 802.11 standards (WiFi); and/or any other appropriate wireless communication standard, such as the Worldwide Interoperability for Microwave Access (WiMax), Bluetooth, Z-Wave, Near Field Communication (NFC) ZigBee, LiFi, and/or any low- power wide-area network (LPWAN) standards such as LoRa and Sigfox.

In some examples, the telecommunication network 702 is a cellular network that implements 3GPP standardized features. Accordingly, the telecommunications network 702 may support network slicing to provide different logical networks to different devices that are connected to the telecommunication network 702. For example, the telecommunications network 702 may provide Ultra Reliable Low Latency Communication (URLLC) services to some UEs, while providing Enhanced Mobile Broadband (eMBB) services to other UEs, and/or Massive Machine Type Communication (mMTC)ZMassive loT services to yet further UEs.

In some examples, the UEs 712 are configured to transmit and/or receive information without direct human interaction. For instance, a UE may be designed to transmit information to the access network 704 on a predetermined schedule, when triggered by an internal or external event, or in response to requests from the access network 704. Additionally, a UE may be configured for operating in single- or multi-RAT or multi-standard mode. For example, a UE may operate with any one or combination of Wi-Fi, NR (New Radio) and LTE, i.e. being configured for multi-radio dual connectivity (MR-DC), such as E-UTRAN (Evolved-UMTS Terrestrial Radio Access Network) New Radio - Dual Connectivity (EN-DC).

In the example, the hub 714 communicates with the access network 704 to facilitate indirect communication between one or more UEs (e.g., UE 712c and/or 712d) and network nodes (e.g., network node 710b). In some examples, the hub 714 may be a controller, router, content source and analytics, or any of the other communication devices described herein regarding UEs. For example, the hub 714 may be a broadband router enabling access to the core network 706 for the UEs. As another example, the hub 714 may be a controller that sends commands or instructions to one or more actuators in the UEs. Commands or instructions may be received from the UEs, network nodes 710, or by executable code, script, process, or other instructions in the hub 714. As another example, the hub 714 may be a data collector that acts as temporary storage for UE data and, in some embodiments, may perform analysis or other processing of the data. As another example, the hub 714 may be a content source. For example, for a UE that is a VR headset, display, loudspeaker or other media delivery device, the hub 714 may retrieve VR assets, video, audio, or other media or data related to sensory information via a network node, which the hub 714 then provides to the UE either directly, after performing local processing, and/or after adding additional local content. In still another example, the hub 714 acts as a proxy server or orchestrator for the UEs, in particular in if one or more of the UEs are low energy loT devices.

The hub 714 may have a constant/persistent or intermittent connection to the network node 710b. The hub 714 may also allow for a different communication scheme and/or schedule between the hub 714 and UEs (e.g., UE 712c and/or 712d), and between the hub 714 and the core network 706. In other examples, the hub 714 is connected to the core network 706 and/or one or more UEs via a wired connection. Moreover, the hub 714 may be configured to connect to an M2M service provider over the access network 704 and/or to another UE over a direct connection. In some scenarios, UEs may establish a wireless connection with the network nodes 710 while still connected via the hub 714 via a wired or wireless connection. In some embodiments, the hub 714 may be a dedicated hub - that is, a hub whose primary function is to route communications to/from the UEs from/to the network node 710b. In other embodiments, the hub 714 may be a non-dedicated hub - that is, a device which is capable of operating to route communications between the UEs and network node 710b, but which is additionally capable of operating as a communication start and/or end point for certain data channels.

Figure 8 shows a UE 800 in accordance with some embodiments. As used herein, a UE refers to a device capable, configured, arranged and/or operable to communicate wirelessly with network nodes and/or other UEs. Examples of a UE include, but are not limited to, a smart phone, mobile phone, cell phone, voice over IP (VoIP) phone, wireless local loop phone, desktop computer, personal digital assistant (PDA), wireless cameras, gaming console or device, music storage device, playback appliance, wearable terminal device, wireless endpoint, mobile station, tablet, laptop, laptop-embedded equipment (LEE), laptop-mounted equipment (LME), smart device, wireless customer-premise equipment (CPE), vehicle-mounted or vehicle embedded/integrated wireless device, etc. Other examples include any UE identified by the 3rd Generation Partnership Project (3GPP), including a narrow band internet of things (NB-loT) UE, a machine type communication (MTC) UE, and/or an enhanced MTC (eMTC) UE.

A UE may support device-to-device (D2D) communication, for example by implementing a 3GPP standard for sidelink communication, Dedicated Short-Range Communication (DSRC), vehicle-to-vehicle (V2V), vehicle-to-infrastructure (V2I), or vehicle-to-everything (V2X). In other examples, a UE may not necessarily have a user in the sense of a human user who owns and/or operates the relevant device. Instead, a UE may represent a device that is intended for sale to, or operation by, a human user but which may not, or which may not initially, be associated with a specific human user (e.g., a smart sprinkler controller). Alternatively, a UE may represent a device that is not intended for sale to, or operation by, an end user but which may be associated with or operated for the benefit of a user (e.g., a smart power meter).

The UE 800 includes processing circuitry 802 that is operatively coupled via a bus 804 to an input/output interface 806, a power source 808, a memory 810, a communication interface 812, and/or any other component, or any combination thereof. Certain UEs may utilize all or a subset of the components shown in Figure 8. The level of integration between the components may vary from one UE to another UE. Further, certain UEs may contain multiple instances of a component, such as multiple processors, memories, transceivers, transmitters, receivers, etc.

The processing circuitry 802 is configured to process instructions and data and may be configured to implement any sequential state machine operative to execute instructions stored as machine-readable computer programs in the memory 810. The processing circuitry 802 may be implemented as one or more hardware-implemented state machines (e.g., in discrete logic, field-programmable gate arrays (FPGAs), application specific integrated circuits (ASICs), etc.); programmable logic together with appropriate firmware; one or more stored computer programs, general-purpose processors, such as a microprocessor or digital signal processor (DSP), together with appropriate software; or any combination of the above. For example, the processing circuitry 802 may include multiple central processing units (CPUs).

In the example, the input/output interface 806 may be configured to provide an interface or interfaces to an input device, output device, or one or more input and/or output devices. Examples of an output device include a speaker, a sound card, a video card, a display, a monitor, a printer, an actuator, an emitter, a smartcard, another output device, or any combination thereof. An input device may allow a user to capture information into the UE 800. Examples of an input device include a touch-sensitive or presence-sensitive display, a camera (e.g., a digital camera, a digital video camera, a web camera, etc.), a microphone, a sensor, a mouse, a trackball, a directional pad, a trackpad, a scroll wheel, a smartcard, and the like. The presence-sensitive display may include a capacitive or resistive touch sensor to sense input from a user. A sensor may be, for instance, an accelerometer, a gyroscope, a tilt sensor, a force sensor, a magnetometer, an optical sensor, a proximity sensor, a biometric sensor, etc., or any combination thereof. An output device may use the same type of interface port as an input device. For example, a Universal Serial Bus (USB) port may be used to provide an input device and an output device.

In some embodiments, the power source 808 is structured as a battery or battery pack. Other types of power sources, such as an external power source (e.g., an electricity outlet), photovoltaic device, or power cell, may be used. The power source 808 may further include power circuitry for delivering power from the power source 808 itself, and/or an external power source, to the various parts of the UE 800 via input circuitry or an interface such as an electrical power cable. Delivering power may be, for example, for charging of the power source 808. Power circuitry may perform any formatting, converting, or other modification to the power from the power source 808 to make the power suitable for the respective components of the UE 800 to which power is supplied.

The memory 810 may be or be configured to include memory such as random access memory (RAM), read-only memory (ROM), programmable read-only memory (PROM), erasable programmable read-only memory (EPROM), electrically erasable programmable read-only memory (EEPROM), magnetic disks, optical disks, hard disks, removable cartridges, flash drives, and so forth. In one example, the memory 810 includes one or more application programs 814, such as an operating system, web browser application, a widget, gadget engine, or other application, and corresponding data 816. The memory 810 may store, for use by the UE 800, any of a variety of various operating systems or combinations of operating systems.

The memory 810 may be configured to include a number of physical drive units, such as redundant array of independent disks (RAID), flash memory, USB flash drive, external hard disk drive, thumb drive, pen drive, key drive, high-density digital versatile disc (HD-DVD) optical disc drive, internal hard disk drive, Blu-Ray optical disc drive, holographic digital data storage (HDDS) optical disc drive, external mini-dual in-line memory module (DIMM), synchronous dynamic random access memory (SDRAM), external micro-DIMM SDRAM, smartcard memory such as tamper resistant module in the form of a universal integrated circuit card (UICC) including one or more subscriber identity modules (SIMs), such as a USIM and/or ISIM, other memory, or any combination thereof. The UICC may for example be an embedded UICC (eUlCC), integrated UICC (iUICC) or a removable UICC commonly known as ‘SIM card.’ The memory 810 may allow the UE 800 to access instructions, application programs and the like, stored on transitory or non-transitory memory media, to off-load data, or to upload data. An article of manufacture, such as one utilizing a communication system may be tangibly embodied as or in the memory 810, which may be or comprise a device-readable storage medium.

The processing circuitry 802 may be configured to communicate with an access network or other network using the communication interface 812. The communication interface 812 may comprise one or more communication subsystems and may include or be communicatively coupled to an antenna 822. The communication interface 812 may include one or more transceivers used to communicate, such as by communicating with one or more remote transceivers of another device capable of wireless communication (e.g., another UE or a network node in an access network). Each transceiver may include a transmitter 818 and/or a receiver 820 appropriate to provide network communications (e.g., optical, electrical, frequency allocations, and so forth). Moreover, the transmitter 818 and receiver 820 may be coupled to one or more antennas (e.g., antenna 822) and may share circuit components, software or firmware, or alternatively be implemented separately.

In the illustrated embodiment, communication functions of the communication interface 812 may include cellular communication, Wi-Fi communication, LPWAN communication, data communication, voice communication, multimedia communication, short-range communications such as Bluetooth, near-field communication, location-based communication such as the use of the global positioning system (GPS) to determine a location, another like communication function, or any combination thereof. Communications may be implemented in according to one or more communication protocols and/or standards, such as IEEE 802.11 , Code Division Multiplexing Access (CDMA), Wideband Code Division Multiple Access (WCDMA), GSM, LTE, New Radio (NR), UMTS, WiMax, Ethernet, transmission control protocol/internet protocol (TCP/IP), synchronous optical networking (SONET), Asynchronous Transfer Mode (ATM), QUIC, Hypertext Transfer Protocol (HTTP), and so forth.

Regardless of the type of sensor, a UE may provide an output of data captured by its sensors, through its communication interface 812, via a wireless connection to a network node. Data captured by sensors of a UE can be communicated through a wireless connection to a network node via another UE. The output may be periodic (e.g., once every 15 minutes if it reports the sensed temperature), random (e.g., to even out the load from reporting from several sensors), in response to a triggering event (e.g., when moisture is detected an alert is sent), in response to a request (e.g., a user initiated request), or a continuous stream (e.g., a live video feed of a patient).

As another example, a UE comprises an actuator, a motor, or a switch, related to a communication interface configured to receive wireless input from a network node via a wireless connection. In response to the received wireless input the states of the actuator, the motor, or the switch may change. For example, the UE may comprise a motor that adjusts the control surfaces or rotors of a drone in flight according to the received input or to a robotic arm performing a medical procedure according to the received input.

A UE, when in the form of an Internet of Things (loT) device, may be a device for use in one or more application domains, these domains comprising, but not limited to, city wearable technology, extended industrial application and healthcare. Non-limiting examples of such an loT device are a device which is or which is embedded in: a connected refrigerator or freezer, a TV, a connected lighting device, an electricity meter, a robot vacuum cleaner, a voice controlled smart speaker, a home security camera, a motion detector, a thermostat, a smoke detector, a door/window sensor, a flood/moisture sensor, an electrical door lock, a connected doorbell, an air conditioning system like a heat pump, an autonomous vehicle, a surveillance system, a weather monitoring device, a vehicle parking monitoring device, an electric vehicle charging station, a smart watch, a fitness tracker, a head-mounted display for Augmented Reality (AR) or Virtual Reality (VR), a wearable for tactile augmentation or sensory enhancement, a water sprinkler, an animal- or item-tracking device, a sensor for monitoring a plant or animal, an industrial robot, an Unmanned Aerial Vehicle (UAV), and any kind of medical device, like a heart rate monitor or a remote controlled surgical robot. A UE in the form of an loT device comprises circuitry and/or software in dependence of the intended application of the loT device in addition to other components as described in relation to the UE 800 shown in Figure 8.

As yet another specific example, in an loT scenario, a UE may represent a machine or other device that performs monitoring and/or measurements, and transmits the results of such monitoring and/or measurements to another UE and/or a network node. The UE may in this case be an M2M device, which may in a 3GPP context be referred to as an MTC device. As one particular example, the UE may implement the 3GPP NB-loT standard. In other scenarios, a UE may represent a vehicle, such as a car, a bus, a truck, a ship and an airplane, or other equipment that is capable of monitoring and/or reporting on its operational status or other functions associated with its operation.

In practice, any number of UEs may be used together with respect to a single use case. For example, a first UE might be or be integrated in a drone and provide the drone’s speed information (obtained through a speed sensor) to a second UE that is a remote controller operating the drone. When the user makes changes from the remote controller, the first UE may adjust the throttle on the drone (e.g. by controlling an actuator) to increase or decrease the drone’s speed. The first and/or the second UE can also include more than one of the functionalities described above. For example, a UE might comprise the sensor and the actuator, and handle communication of data for both the speed sensor and the actuators.

Figure 9 shows a network node 900 in accordance with some embodiments. As used herein, network node refers to equipment capable, configured, arranged and/or operable to communicate directly or indirectly with a UE and/or with other network nodes or equipment, in a telecommunication network. Examples of network nodes include, but are not limited to, access points (APs) (e.g., radio access points), base stations (BSs) (e.g., radio base stations, Node Bs, evolved Node Bs (eNBs) and NR NodeBs (gNBs)).

Base stations may be categorized based on the amount of coverage they provide (or, stated differently, their transmit power level) and so, depending on the provided amount of coverage, may be referred to as femto base stations, pico base stations, micro base stations, or macro base stations. A base station may be a relay node or a relay donor node controlling a relay. A network node may also include one or more (or all) parts of a distributed radio base station such as centralized digital units and/or remote radio units (RRUs), sometimes referred to as Remote Radio Heads (RRHs). Such remote radio units may or may not be integrated with an antenna as an antenna integrated radio. Parts of a distributed radio base station may also be referred to as nodes in a distributed antenna system (DAS).

Other examples of network nodes include multiple transmission point (multi-TRP) 5G access nodes, multi-standard radio (MSR) equipment such as MSR BSs, network controllers such as radio network controllers (RNCs) or base station controllers (BSCs), base transceiver stations (BTSs), transmission points, transmission nodes, multi-cell/multicast coordination entities (MCEs), Operation and Maintenance (O&M) nodes, Operations Support System (OSS) nodes, Self-Organizing Network (SON) nodes, positioning nodes (e.g., Evolved Serving Mobile Location Centers (E-SMLCs)), and/or Minimization of Drive Tests (MDTs).

The network node 900 includes a processing circuitry 902, a memory 904, a communication interface 906, and a power source 908. The network node 900 may be composed of multiple physically separate components (e.g., a NodeB component and a RNC component, or a BTS component and a BSC component, etc.), which may each have their own respective components. In certain scenarios in which the network node 900 comprises multiple separate components (e.g., BTS and BSC components), one or more of the separate components may be shared among several network nodes. For example, a single RNC may control multiple NodeBs. In such a scenario, each unique NodeB and RNC pair, may in some instances be considered a single separate network node. In some embodiments, the network node 900 may be configured to support multiple radio access technologies (RATs). In such embodiments, some components may be duplicated (e.g., separate memory 904 for different RATs) and some components may be reused (e.g., a same antenna 910 may be shared by different RATs). The network node 900 may also include multiple sets of the various illustrated components for different wireless technologies integrated into network node 900, for example GSM, WCDMA, LTE, NR, WiFi, Zigbee, Z-wave, LoRaWAN, Radio Frequency Identification (RFID) or Bluetooth wireless technologies. These wireless technologies may be integrated into the same or different chip or set of chips and other components within network node 900.

The processing circuitry 902 may comprise a combination of one or more of a microprocessor, controller, microcontroller, central processing unit, digital signal processor, application-specific integrated circuit, field programmable gate array, or any other suitable computing device, resource, or combination of hardware, software and/or encoded logic operable to provide, either alone or in conjunction with other network node 900 components, such as the memory 904, to provide network node 900 functionality.

In some embodiments, the processing circuitry 902 includes a system on a chip (SOC). In some embodiments, the processing circuitry 902 includes one or more of radio frequency (RF) transceiver circuitry 912 and baseband processing circuitry 914. In some embodiments, the radio frequency (RF) transceiver circuitry 912 and the baseband processing circuitry 914 may be on separate chips (or sets of chips), boards, or units, such as radio units and digital units. In alternative embodiments, part or all of RF transceiver circuitry 912 and baseband processing circuitry 914 may be on the same chip or set of chips, boards, or units.

The memory 904 may comprise any form of volatile or non-volatile computer-readable memory including, without limitation, persistent storage, solid-state memory, remotely mounted memory, magnetic media, optical media, random access memory (RAM), read-only memory (ROM), mass storage media (for example, a hard disk), removable storage media (for example, a flash drive, a Compact Disk (CD) or a Digital Video Disk (DVD)), and/or any other volatile or non-volatile, non-transitory device-readable and/or computer-executable memory devices that store information, data, and/or instructions that may be used by the processing circuitry 902. The memory 904 may store any suitable instructions, data, or information, including a computer program, software, an application including one or more of logic, rules, code, tables, and/or other instructions capable of being executed by the processing circuitry 902 and utilized by the network node 900. The memory 904 may be used to store any calculations made by the processing circuitry 902 and/or any data received via the communication interface 906. In some embodiments, the processing circuitry 902 and memory 904 is integrated.

The communication interface 906 is used in wired or wireless communication of signaling and/or data between a network node, access network, and/or UE. As illustrated, the communication interface 906 comprises port(s)/terminal(s) 916 to send and receive data, for example to and from a network over a wired connection. The communication interface 906 also includes radio front-end circuitry 918 that may be coupled to, or in certain embodiments a part of, the antenna 910. Radio front-end circuitry 918 comprises filters 920 and amplifiers 922. The radio front-end circuitry 918 may be connected to an antenna 910 and processing circuitry 902. The radio front-end circuitry may be configured to condition signals communicated between antenna 910 and processing circuitry 902. The radio front-end circuitry 918 may receive digital data that is to be sent out to other network nodes or UEs via a wireless connection. The radio front-end circuitry 918 may convert the digital data into a radio signal having the appropriate channel and bandwidth parameters using a combination of filters 920 and/or amplifiers 922. The radio signal may then be transmitted via the antenna 910. Similarly, when receiving data, the antenna 910 may collect radio signals which are then converted into digital data by the radio front-end circuitry 918. The digital data may be passed to the processing circuitry 902. In other embodiments, the communication interface may comprise different components and/or different combinations of components.

In certain alternative embodiments, the network node 900 does not include separate radio front-end circuitry 918, instead, the processing circuitry 902 includes radio front-end circuitry and is connected to the antenna 910. Similarly, in some embodiments, all or some of the RF transceiver circuitry 912 is part of the communication interface 906. In still other embodiments, the communication interface 906 includes one or more ports or terminals 916, the radio front-end circuitry 918, and the RF transceiver circuitry 912, as part of a radio unit (not shown), and the communication interface 906 communicates with the baseband processing circuitry 914, which is part of a digital unit (not shown).

The antenna 910 may include one or more antennas, or antenna arrays, configured to send and/or receive wireless signals. The antenna 910 may be coupled to the radio front-end circuitry 918 and may be any type of antenna capable of transmitting and receiving data and/or signals wirelessly. In certain embodiments, the antenna 910 is separate from the network node 900 and connectable to the network node 900 through an interface or port.

The antenna 910, communication interface 906, and/or the processing circuitry 902 may be configured to perform any receiving operations and/or certain obtaining operations described herein as being performed by the network node. Any information, data and/or signals may be received from a UE, another network node and/or any other network equipment. Similarly, the antenna 910, the communication interface 906, and/or the processing circuitry 902 may be configured to perform any transmitting operations described herein as being performed by the network node. Any information, data and/or signals may be transmitted to a UE, another network node and/or any other network equipment.

The power source 908 provides power to the various components of network node 900 in a form suitable for the respective components (e.g., at a voltage and current level needed for each respective component). The power source 908 may further comprise, or be coupled to, power management circuitry to supply the components of the network node 900 with power for performing the functionality described herein. For example, the network node 900 may be connectable to an external power source (e.g., the power grid, an electricity outlet) via an input circuitry or interface such as an electrical cable, whereby the external power source supplies power to power circuitry of the power source 908. As a further example, the power source 908 may comprise a source of power in the form of a battery or battery pack which is connected to, or integrated in, power circuitry. The battery may provide backup power should the external power source fail.

Embodiments of the network node 900 may include additional components beyond those shown in Figure 9 for providing certain aspects of the network node’s functionality, including any of the functionality described herein and/or any functionality necessary to support the subject matter described herein. For example, the network node 900 may include user interface equipment to allow input of information into the network node 900 and to allow output of information from the network node 900. This may allow a user to perform diagnostic, maintenance, repair, and other administrative functions for the network node 900.

Figure 10 is a block diagram of a host 1000, which may be an embodiment of the host 716 of Figure 7, in accordance with various aspects described herein. As used herein, the host 1000 may be or comprise various combinations hardware and/or software, including a standalone server, a blade server, a cloud-implemented server, a distributed server, a virtual machine, container, or processing resources in a server farm. The host 1000 may provide one or more services to one or more UEs.

The host 1000 includes processing circuitry 1002 that is operatively coupled via a bus 1004 to an input/output interface 1006, a network interface 1008, a power source 1010, and a memory 1012. Other components may be included in other embodiments. Features of these components may be substantially similar to those described with respect to the devices of previous figures, such as Figures 8 and 9, such that the descriptions thereof are generally applicable to the corresponding components of host 1000.

The memory 1012 may include one or more computer programs including one or more host application programs 1014 and data 1016, which may include user data, e.g., data generated by a UE for the host 1000 or data generated by the host 1000 for a UE. Embodiments of the host 1000 may utilize only a subset or all of the components shown. The host application programs 1014 may be implemented in a container-based architecture and may provide support for video codecs (e.g., Versatile Video Coding (WC), High Efficiency Video Coding (HEVC), Advanced Video Coding (AVC), MPEG, VP9) and audio codecs (e.g., FLAC, Advanced Audio Coding (AAC), MPEG, G.711), including transcoding for multiple different classes, types, or implementations of UEs (e.g., handsets, desktop computers, wearable display systems, heads-up display systems). The host application programs 1014 may also provide for user authentication and licensing checks and may periodically report health, routes, and content availability to a central node, such as a device in or on the edge of a core network. Accordingly, the host 1000 may select and/or indicate a different host for over-the-top services for a UE. The host application programs 1014 may support various protocols, such as the HTTP Live Streaming (HLS) protocol, Real-Time Messaging Protocol (RTMP), Real-Time Streaming Protocol (RTSP), Dynamic Adaptive Streaming over HTTP (MPEG-DASH), etc.

Figure 11 is a block diagram illustrating a virtualization environment 1100 in which functions implemented by some embodiments may be virtualized. In the present context, virtualizing means creating virtual versions of apparatuses or devices which may include virtualizing hardware platforms, storage devices and networking resources. As used herein, virtualization can be applied to any device described herein, or components thereof, and relates to an implementation in which at least a portion of the functionality is implemented as one or more virtual components. Some or all of the functions described herein may be implemented as virtual components executed by one or more virtual machines (VMs) implemented in one or more virtual environments 1100 hosted by one or more of hardware nodes, such as a hardware computing device that operates as a network node, UE, core network node, or host. Further, in embodiments in which the virtual node does not require radio connectivity (e.g., a core network node or host), then the node may be entirely virtualized. Applications 1102 (which may alternatively be called software instances, virtual appliances, network functions, virtual nodes, virtual network functions, etc.) are run in the virtualization environment Q400 to implement some of the features, functions, and/or benefits of some of the embodiments disclosed herein.

Hardware 1104 includes processing circuitry, memory that stores software and/or instructions executable by hardware processing circuitry, and/or other hardware devices as described herein, such as a network interface, input/output interface, and so forth. Software may be executed by the processing circuitry to instantiate one or more virtualization layers 1106 (also referred to as hypervisors or virtual machine monitors (VMMs)), provide VMs 1108a and 1108b (one or more of which may be generally referred to as VMs 1108), and/or perform any of the functions, features and/or benefits described in relation with some embodiments described herein. The virtualization layer 1106 may present a virtual operating platform that appears like networking hardware to the VMs 1108.

The VMs 1108 comprise virtual processing, virtual memory, virtual networking or interface and virtual storage, and may be run by a corresponding virtualization layer 1106. Different embodiments of the instance of a virtual appliance 1102 may be implemented on one or more of VMs 1108, and the implementations may be made in different ways. Virtualization of the hardware is in some contexts referred to as network function virtualization (NFV). NFV may be used to consolidate many network equipment types onto industry standard high volume server hardware, physical switches, and physical storage, which can be located in data centers, and customer premise equipment.

In the context of NFV, a VM 1108 may be a software implementation of a physical machine that runs programs as if they were executing on a physical, non-virtualized machine. Each of the VMs 1108, and that part of hardware 1104 that executes that VM, be it hardware dedicated to that VM and/or hardware shared by that VM with others of the VMs, forms separate virtual network elements. Still in the context of NFV, a virtual network function is responsible for handling specific network functions that run in one or more VMs 1108 on top of the hardware 1104 and corresponds to the application 1102.

Hardware 1104 may be implemented in a standalone network node with generic or specific components. Hardware 1104 may implement some functions via virtualization. Alternatively, hardware 1104 may be part of a larger cluster of hardware (e.g. such as in a data center or CPE) where many hardware nodes work together and are managed via management and orchestration 1110, which, among others, oversees lifecycle management of applications 1102. In some embodiments, hardware 1104 is coupled to one or more radio units that each include one or more transmitters and one or more receivers that may be coupled to one or more antennas. Radio units may communicate directly with other hardware nodes via one or more appropriate network interfaces and may be used in combination with the virtual components to provide a virtual node with radio capabilities, such as a radio access node or a base station. In some embodiments, some signaling can be provided with the use of a control system 1112 which may alternatively be used for communication between hardware nodes and radio units.

Although the computing devices described herein (e.g., UEs, network nodes, hosts) may include the illustrated combination of hardware components, other embodiments may comprise computing devices with different combinations of components. It is to be understood that these computing devices may comprise any suitable combination of hardware and/or software needed to perform the tasks, features, functions and methods disclosed herein. Determining, calculating, obtaining or similar operations described herein may be performed by processing circuitry, which may process information by, for example, converting the obtained information into other information, comparing the obtained information or converted information to information stored in the network node, and/or performing one or more operations based on the obtained information or converted information, and as a result of said processing making a determination. Moreover, while components are depicted as single boxes located within a larger box, or nested within multiple boxes, in practice, computing devices may comprise multiple different physical components that make up a single illustrated component, and functionality may be partitioned between separate components. For example, a communication interface may be configured to include any of the components described herein, and/or the functionality of the components may be partitioned between the processing circuitry and the communication interface. In another example, non-computationally intensive functions of any of such components may be implemented in software or firmware and computationally intensive functions may be implemented in hardware.

In certain embodiments, some or all of the functionality described herein may be provided by processing circuitry executing instructions stored on in memory, which in certain embodiments may be a computer program product in the form of a non-transitory computer- readable storage medium. In alternative embodiments, some or all of the functionality may be provided by the processing circuitry without executing instructions stored on a separate or discrete device-readable storage medium, such as in a hard-wired manner. In any of those particular embodiments, whether executing instructions stored on a non-transitory computer- readable storage medium or not, the processing circuitry can be configured to perform the described functionality. The benefits provided by such functionality are not limited to the processing circuitry alone or to other components of the computing device, but are enjoyed by the computing device as a whole, and/or by end users and a wireless network generally.

Notably, modifications and other embodiments of the present disclosure will come to mind to one skilled in the art having the benefit of the teachings presented in the foregoing descriptions and the associated drawings. Therefore, it is to be understood that the present disclosure is not to be limited to the specific embodiments disclosed and that modifications and other embodiments are intended to be included within the scope of this disclosure. Although specific terms may be employed herein, they are used in a generic and descriptive sense only and not for purposes of limitation.

Some embodiments herein propose modifications to or variations of the access token based authentication, e.g., OAuth 2.0 authentication, captured in the following references:

1. 3GPP TS 29.510 V17.2.0 (2021-06) 5G System; Network Function Repository Services; Stage 3.

2. 3GPP TS 33.501 V17.2.1 (2021-06): "Security architecture and procedures for 5G system", Clauses 13.4.1.2 Service access authorization in roaming scenarios. Example embodiments of the techniques and apparatus described herein include, but are not limited to, the following enumerated examples: Group A Embodiments

A1 . A method performed by network equipment configured as a proxy in a first wireless communication network, the method comprising: receiving, from a second wireless communication network, a request for a network function, NF, service producer in the first wireless communication network to provide a service to an NF service consumer in the second wireless communication network, wherein the request does not include an access token indicating authorization to consume the service from the NF service producer; obtaining, on behalf of the NF service consumer, an access token from a network repository function, NRF, in the first wireless communication network, wherein the obtained access token indicates authorization to consume the service from the NF service producer; and transmitting, towards the NF service producer, the received request along with the obtained access token.

A2. The method of embodiment A1 , wherein obtaining the access token comprises: transmitting a request for the access token to the NRF in the first wireless communication network, wherein the request for the access token indicates the request for the access token originated from the proxy and/or is on behalf of the NF service consumer; and responsive to the request, receiving the access token from the network repository function.

A3. The method of embodiment A2, wherein the request for the access token includes a field that indicates the request for the access token originated from the proxy and/or is on behalf of the NF service consumer. A4. The method of embodiment A3, wherein the proxy is a security edge protection proxy, SEPP, and wherein the field is a setBySepp field whose value is set to true to indicate the request for the access token originated from the SEPP.

A5. The method of embodiment A3, wherein the field is an nfType field.

A6. The method of any of embodiments A2-A5, wherein the request for the access token includes a list of one or more target wireless communication networks related to the NF service producer.

A7. The method of any of embodiments A1-A6, wherein the access token is obtained in response to receiving the request from the second wireless communication network.

A8. The method of any of embodiments A1-A6, wherein the access token is obtained before receiving the request from the second wireless communication network.

A9. The method of any of embodiments A1-A8, further comprising determining whether or not to obtain the access token on behalf of the NF service consumer, and wherein said obtaining is performed in response to determining to obtain the access token.

A10. The method of embodiment A9, wherein said determining comprises deciding whether or not to obtain the access token on behalf of the NF service consumer, based on an identity of the second wireless communication network, a type of the NF service consumer, and/or a type of the NF service producer.

A11 . The method of any of embodiments A9-A10, further comprising transmitting, to the network repository function, an NF service discovery request and receiving an NF service discovery response from the network repository function, wherein said determining is based on the NF service discovery response.

A12. The method of any of embodiments A1-A11 , wherein the access token is issued to the proxy and/or wherein the proxy is a subject of the access token.

A13. The method of any of embodiments A1 -A11 , wherein either: the access token is issued to another proxy in the second wireless communication network and/or wherein the other proxy in the second wireless communication network is a subject of the access token; or the access token is issued to the NF service consumer and/or wherein the NF service consumer is a subject of the access token.

A14. The method of any of embodiments A1-A13, further comprising: storing the obtained access token; and using the stored access token for handing a subsequent request for the NF service producer to provide a service to the NF service consumer.

A15. The method of any of embodiments A1 -A14, further comprising inserting the obtained access token into the received request and wherein said transmitting comprises transmitting the received request, with the obtained access token included therein, towards the NF service producer.

A16. The method of any of embodiments A1-A16, wherein the proxy is a security edge protection proxy, SEPP.

A17. The method of any of embodiments A1 -A17, wherein the request is received from a proxy in the second wireless communication network.

A18. The method of embodiment A17, wherein the request is received from a security edge protection proxy in the second wireless communication network.

A19. The method of any of embodiments A1 -A18, wherein the first wireless communication network requires access token based authorization for NF service access and wherein the second wireless communication network does not require access token based authorization for NF service access.

A20. The method of any of embodiments A1 -A19, wherein the first wireless communication network requires OAuth 2.0 based authorization of NF service access, and wherein the second wireless communication network does not require OAuth 2.0 based authorization of NF service access.

A21 . The method of any of embodiments A1-A20, wherein NF service access in the second wireless communication network is based on static authorization.

A22. The method of any of embodiments A1-A21 , wherein the obtained access token is an OAuth 2.0 access token. A23. The method of any of embodiments A1-A22, wherein the obtained access token is a JavaScript Object Notation, JSON, Web Token.

A24. The method of any of embodiments A1-A23, wherein the obtained access token is secured with one or more digital signatures or Message Authentication Code(s) based on a JSON Web Signature.

Group B Embodiments

B1 . A method performed by network equipment configured to implement a network repository function in a first wireless communication network, the method comprising: receiving, from a proxy in the first wireless communication network, a request for an access token that indicates authorization to consume a service from a network function, NF, service producer in the first wireless communication network, wherein the request for the access token indicates the request for the access token originated from the proxy and/or is on behalf of an NF service consumer in a second wireless communication network; and responsive to the request, transmitting the requested access token to the proxy.

B2. The method of embodiment B1 , wherein the request for the access token includes a field that indicates the request for the access token originated from the proxy and/or is on behalf of the NF service consumer.

B3. The method of embodiment B2, wherein the proxy is a security edge protection proxy, SEPP, and wherein the field is a setBySepp field whose value is set to true to indicate the request for the access token originated from the SEPP.

B4. The method of embodiment B2, wherein the field is an nfType field.

B5. The method of any of embodiments B1 -B4, wherein the request for the access token includes a list of one or more target wireless communication networks related to the NF service producer.

B6. The method of any of embodiments B1-B5, further comprising receiving, from the proxy, an NF service discovery request and transmitting an NF service discovery response that indicates whether or not the proxy is to request the access token from the network repository function. B7. The method of any of embodiments B1-B6, wherein the access token is issued to the proxy and/or wherein the proxy is a subject of the access token.

B8. The method of any of embodiments B1-B7, wherein either: the access token is issued to another proxy in the second wireless communication network and/or wherein the other proxy in the second wireless communication network is a subject of the access token; or the access token is issued to the NF service consumer and/or wherein the NF service consumer is a subject of the access token.

B9. The method of any of embodiments B1-B8, wherein the proxy is a security edge protection proxy, SEPP.

B10. The method of any of embodiments B1-B9, wherein the first wireless communication network requires access token based authorization for NF service access and wherein the second wireless communication network does not require access token based authorization for NF service access.

B11. The method of any of embodiments B1-B10, wherein the first wireless communication network requires OAuth 2.0 based authorization of NF service access, and wherein the second wireless communication network does not require OAuth 2.0 based authorization of NF service access.

B12. The method of any of embodiments B1-B11 , wherein NF service access in the second wireless communication network is based on static authorization.

B13. The method of any of embodiments B1-B12, wherein the access token is an OAuth 2.0 access token.

B14. The method of any of embodiments B1-B13, wherein the access token is a JavaScript Object Notation, JSON, Web Token.

B15. The method of any of embodiments B1-B14, wherein the access token is secured with one or more digital signatures or Message Authentication Code(s) based on a JSON Web Signature.

B16. The method of any of embodiments B1-B15, further comprising verifying the proxy and/or bypassing a check of information associated with the NF service consumer. B17. The method of any of embodiments B1-B16, further comprising: refraining from verifying that input parameters in the request match with corresponding ones in a public key certificate of the NF service consumer or those in an NF profile of the NF service consumer; and/or refraining from checking whether the NF service consumer is authorized to access the service.

Group C Embodiments

C1 . A method performed by network equipment configured to provide a service as a network function, NF, service producer in a first wireless communication network, the method comprising: receiving, from a proxy in the first wireless communication network, a request for the service producer in the first wireless communication network to provide a service to an NF service consumer in a second wireless communication network, wherein the request includes an access token indicating authorization to consume the service from the NF service producer; verifying an integrity of the access token and/or claims in the access token, based on the access token having been obtained by the proxy on behalf of the NF service consumer and/or based on a request for the access token having originated from the proxy; and responding to the request in dependence on said verifying.

C2. The method of embodiment C1 , wherein the proxy is a security edge protection proxy, SEPP, and wherein said verifying is based on SEPP being an allowed value for an nfType field in the request and/or in the access token.

C3. The method of any of embodiments C1-C2, wherein the access token is issued to the proxy and/or wherein the proxy is a subject of the access token.

C4. The method of any of embodiments C1-C2, wherein either: the access token is issued to another proxy in the second wireless communication network and/or wherein the other proxy in the second wireless communication network is a subject of the access token; or the access token is issued to the NF service consumer and/or wherein the NF service consumer is a subject of the access token. C5. The method of any of embodiments C1-C4, wherein the proxy is a security edge protection proxy, SEPP.

C6. The method of any of embodiments C1-C5, wherein the first wireless communication network requires access token based authorization for NF service access and wherein the second wireless communication network does not require access token based authorization for NF service access.

C7. The method of any of embodiments C1-C6, wherein the first wireless communication network requires OAuth 2.0 based authorization of NF service access, and wherein the second wireless communication network does not require OAuth 2.0 based authorization of NF service access.

C8. The method of any of embodiments C1-C7, wherein NF service access in the second wireless communication network is based on static authorization.

C9. The method of any of embodiments C1-C8, wherein the access token is an OAuth 2.0 access token.

C10. The method of any of embodiments C1-C9, wherein the access token is a JavaScript Object Notation, JSON, Web Token.

C11. The method of any of embodiments C1-C10, wherein the access token is secured with one or more digital signatures or Message Authentication Code(s) based on a JSON Web Signature.

Group D Embodiments

D1 . Network equipment configured to perform any of the steps of any of the Group A, Group B, or Group C embodiments.

D2. Network equipment comprising processing circuitry configured to perform any of the steps of any of the Group A, Group B, or Group C embodiments.

D3. Network equipment comprising: communication circuitry; and processing circuitry configured to perform any of the steps of any of the Group A, Group B, or Group C embodiments. D4. Network equipment comprising: processing circuitry configured to perform any of the steps of any of the Group A, Group B, or Group C embodiments; and power supply circuitry configured to supply power to the network equipment.

D5. Network equipment comprising: processing circuitry and memory, the memory containing instructions executable by the processing circuitry whereby the network equipment is configured to perform any of the steps of any of the Group A, Group B, or Group C embodiments.

D7. A computer program comprising instructions which, when executed by at least one processor of network equipment, causes the network equipment to carry out the steps of any of the Group A, Group B, or Group C embodiments.

D8. A carrier containing the computer program of embodiment D7, wherein the carrier is one of an electronic signal, optical signal, radio signal, or computer readable storage medium.

Claims

1 . A method performed by network equipment (600) configured as a proxy (60) in a first wireless communication network (10), the method comprising: receiving (300), from a second wireless communication network (20), a request (50) for a network function, NF, service producer (30) in the first wireless communication network (10) to provide a service to an NF service consumer (40) in the second wireless communication network (20), wherein the request (50) does not include an access token indicating authorization to consume the service from the NF service producer (30); obtaining (310), on behalf of the NF service consumer (40), an access token (70) from a network repository function, NRF, (80) in the first wireless communication network (10), wherein the obtained access token (70) indicates authorization to consume the service from the NF service producer (30); and transmitting, towards the NF service producer (30), the received request (50) along with the obtained access token (70).

2. The method of claim 1 , wherein obtaining the access token (70) comprises: transmitting a request (75) for the access token (70) to the NRF (80) in the first wireless communication network (10), wherein the request (75) for the access token (70) includes a field that indicates the request (75) for the access token (70) originated from the proxy (60) and/or is on behalf of the NF service consumer (40); and responsive to the request (75), receiving the access token (70) from the NRF (80).

3. The method of claim 2, wherein the proxy (60) is a security edge protection proxy, SEPP, and wherein the field is a setBySepp field whose value is set to true to indicate the request (75) for the access token (70) originated from the SEPP.

4. The method of any of claims 2-3, wherein the request (75) for the access token (70) includes a list of one or more target wireless communication networks related to the NF service producer (30).

5. The method of any of claims 1-4, further comprising determining whether or not to obtain the access token (70) on behalf of the NF service consumer (40), and wherein said obtaining is performed in response to determining to obtain the access token (70), wherein said determining comprises deciding whether or not to obtain the access token (70) on behalf of the NF service consumer (40), based on an identity of the second wireless communication network (20), a type of the NF service consumer (40), and/or a type of the NF service producer (30).

6. The method of any of claims 1-5, wherein the access token (70) is issued to the proxy (60) and/or wherein the proxy (60) is a subject of the access token (70).

7. The method of any of claims 1-6, wherein either: the access token (70) is issued to another proxy (90) in the second wireless communication network (20) and/or wherein the other proxy (90) in the second wireless communication network (20) is a subject of the access token (70); or the access token (70) is issued to the NF service consumer (40) and/or wherein the NF service consumer (40) is a subject of the access token (70).

8. The method of any of claims 1-7, further comprising inserting the obtained access token (70) into the received request (50) and wherein said transmitting comprises transmitting the received request (50), with the obtained access token (70) included therein, towards the NF service producer (30).

9. The method of any of claims 1-8, wherein the proxy (60) is a security edge protection proxy, SEPP, and wherein the request (50) is received from a security edge protection proxy (90) in the second wireless communication network (20).

10. The method of any of claims 1 -9, wherein the first wireless communication network (10) requires OAuth 2.0 based authorization of NF service access, wherein the access token (70) is an OAuth 2.0 access token, and wherein: the second wireless communication network (20) does not require OAuth 2.0 based authorization of NF service access; and/or

NF service access in the second wireless communication network (20) is based on static authorization.

11. The method of any of claims 1-10, wherein the obtained access token (70): is a JavaScript Object Notation, JSON, Web Token; and/or is secured with one or more digital signatures or Message Authentication Code(s) based on a JSON Web Signature.

12. A method performed by network equipment (600) configured to implement a network repository function (80) in a first wireless communication network (10), the method comprising: receiving (400), from a proxy (60) in the first wireless communication network (10), a request (75) for an access token (70) that indicates authorization to consume a service from a network function, NF, service producer (30) in the first wireless communication network (10), wherein the request (75) for the access token (70) indicates the request (75) for the access token (70) originated from the proxy (60) and/or is on behalf of an NF service consumer (40) in a second wireless communication network (20); and responsive to the request (75), transmitting (420) the requested access token (70) to the proxy (60).

13. The method of claim 12, wherein the request (75) for the access token (70) includes a field that indicates the request (75) for the access token (70) originated from the proxy (60) and/or is on behalf of the NF service consumer (40).

14. The method of claim 13, wherein the proxy (60) is a security edge protection proxy, SEPP, and wherein the field is a setBySepp field whose value is set to true to indicate the request (75) for the access token (70) originated from the SEPP.

15. The method of any of claims 12-14, wherein the request (75) for the access token (70) includes a list of one or more target wireless communication networks related to the NF service producer (30).

16. The method of any of claims 12-15, further comprising receiving, from the proxy (60), an NF service discovery request and transmitting an NF service discovery response that indicates whether or not the proxy (60) is to request the access token (70) from the network repository function (80).

17. The method of any of claims 12-16, wherein the access token (70) is issued to the proxy (60) and/or wherein the proxy (60) is a subject of the access token (70).

18. The method of any of claims 12-17, wherein either: the access token (70) is issued to another proxy (90) in the second wireless communication network (20) and/or wherein the other proxy (90) in the second wireless communication network (20) is a subject of the access token (70); or the access token (70) is issued to the NF service consumer (40) and/or wherein the NF service consumer (40) is a subject of the access token (70).

19. The method of any of claims 12-18, wherein the proxy (60) is a security edge protection proxy, SEPP.

20. The method of any of claims 12-19, wherein the first wireless communication network (10) requires OAuth 2.0 based authorization of NF service access, wherein the access token (70) is an OAuth 2.0 access token, and wherein: the second wireless communication network (20) does not require OAuth 2.0 based authorization of NF service access; and/or

NF service access in the second wireless communication network (20) is based on static authorization.

21 . The method of any of claims 12-20, wherein the access token (70): is a JavaScript Object Notation, JSON, Web Token; and/or is secured with one or more digital signatures or Message Authentication Code(s) based on a JSON Web Signature.

22. The method of any of claims 12-21 , further comprising verifying (410) the proxy (60) and/or bypassing a check of information associated with the NF service consumer (40).

23. The method of any of claims 12-22, further comprising: refraining from verifying that input parameters in the request match with corresponding ones in a public key certificate of the NF service consumer (40) or those in an NF profile of the NF service consumer (40); and/or refraining from checking whether the NF service consumer (40) is authorized to access the service.

24. A method performed by network equipment (600) configured to provide a service as a network function, NF, service producer (30) in a first wireless communication network (10), the method comprising: receiving (500), from a proxy (60) in the first wireless communication network (10), a request (50) for the service producer (30) in the first wireless communication network (10) to provide a service to an NF service consumer (40) in a second wireless communication network (20), wherein the request (50) includes an access token (70) indicating authorization to consume the service from the NF service producer (30); verifying (510) an integrity of the access token (70) and/or claims in the access token (70), based on the access token (70) having been obtained by the proxy (60) on behalf of the NF service consumer (40) and/or based on a request (75) for the access token (70) having originated from the proxy (60); and responding (520) to the request (50) in dependence on said verifying.

25. The method of claim 24, wherein the proxy (60) is a security edge protection proxy, SEPP, and wherein said verifying is based on SEPP being an allowed value for an nfType field in the request (50) and/or in the access token (70).

26. The method of any of claims 24-25, wherein the access token (70) is issued to the proxy (60) and/or wherein the proxy (60) is a subject of the access token (70).

27. The method of any of claims 24-26, wherein either: the access token (70) is issued to another proxy (90) in the second wireless communication network (20) and/or wherein the other proxy (90) in the second wireless communication network (20) is a subject of the access token (70); or the access token (70) is issued to the NF service consumer (40) and/or wherein the NF service consumer (40) is a subject of the access token (70).

28. The method of any of claims 24-27, wherein the proxy (60) is a security edge protection proxy, SEPP.

29. The method of any of claims 24-28, wherein the first wireless communication network (10) requires OAuth 2.0 based authorization of NF service access, wherein the access token (70) is an OAuth 2.0 access token, and wherein: the second wireless communication network (20) does not require OAuth 2.0 based authorization of NF service access; and/or

NF service access in the second wireless communication network (20) is based on static authorization.

30. The method of any of claims 1-29, wherein the access token (70): is a JavaScript Object Notation, JSON, Web Token; and/or is secured with one or more digital signatures or Message Authentication Code(s) based on a JSON Web Signature.

31 . Network equipment (600) configured as a proxy (60) in a first wireless communication network (10), the network equipment (600) comprising: communication circuitry (620); and processing circuitry (610) configured to: receive, from a second wireless communication network (20), a request (50) for a network function, NF, service producer (30) in the first wireless communication network (10) to provide a service to an NF service consumer (40) in the second wireless communication network (20), wherein the request (50) does not include an access token indicating authorization to consume the service from the NF service producer (30); obtain, on behalf of the NF service consumer (40), an access token (70) from a network repository function, NRF, (80) in the first wireless communication network (10), wherein the obtained access token (70) indicates authorization to consume the service from the NF service producer (30); and transmit, towards the NF service producer (30), the received request (50) along with the obtained access token (70).

32. The network equipment (600) of claim 31 , wherein the processing circuitry (610) is configured to perform the method of any of claims 2-11.

33. Network equipment (600) configured to implement a network repository function (80) in a first wireless communication network (10), the network equipment (600) comprising: communication circuitry (620); and processing circuitry (610) configured to: receive, from a proxy (60) in the first wireless communication network (10), a request (75) for an access token (70) that indicates authorization to consume a service from a network function, NF, service producer (30) in the first wireless communication network (10), wherein the request (75) for the access token (70) indicates the request (75) for the access token (70) originated from the proxy (60) and/or is on behalf of an NF service consumer (40) in a second wireless communication network (20); and responsive to the request (75), transmit the requested access token (70) to the proxy (60).

34. The network equipment (600) of claim 33, wherein the processing circuitry (610) is configured to perform the method of any of claims 13-23.

35. Network equipment (600) configured to provide a service as a network function, NF, service producer (30) in a first wireless communication network (10), the network equipment (600) comprising: communication circuitry (620); and processing circuitry (610) configured to: receive, from a proxy (60) in the first wireless communication network (10), a request (50) for the service producer (30) in the first wireless communication network (10) to provide a service to an NF service consumer (40) in a second wireless communication network (20), wherein the request (50) includes an access token (70) indicating authorization to consume the service from the NF service producer (30); verify an integrity of the access token (70) and/or claims in the access token (70), based on the access token (70) having been obtained by the proxy (60) on behalf of the NF service consumer (40) and/or based on a request (75) for the access token (70) having originated from the proxy (60); and respond to the request (50) in dependence on said verifying.

36. The network equipment (600) of claim 35, wherein the processing circuitry (610) is configured to perform the method of any of claims 25-30.

37. A computer program comprising instructions which, when executed by at least one processor of network equipment (600), causes the network equipment (600) to perform the method of any of claims 1-30.

38. A carrier containing the computer program of claim 37, wherein the carrier is one of an electronic signal, optical signal, radio signal, or computer readable storage medium.