WO2024031731A1

WO2024031731A1 - Application program interface (api) invoking method and apparatus, and storage medium

Info

Publication number: WO2024031731A1
Application number: PCT/CN2022/112333
Authority: WO
Inventors: 梁浩然; 陆伟
Original assignee: 北京小米移动软件有限公司
Priority date: 2022-08-12
Filing date: 2022-08-12
Publication date: 2024-02-15
Also published as: CN117882348A

Abstract

Provided in the present disclosure are an application program interface (API) invoking method and apparatus, and a storage medium. The API invoking method comprises: in response to a UE having generated or updated an authorization configuration file, sending a setting request message to an access and mobility management function (AMF), wherein the authorization configuration file is used for authorizing other UEs or application functions (AFs) to acquire, modify or set a target resource of the UE, and the setting request message is used for requesting that updated file information content in the authorization configuration file is synchronized to unified data management (UDM); and receiving a setting response message returned by the AMF, wherein the setting response message is used for notifying the UE that the updated file information content has been synchronized to the UDM.

Description

Application program interface API calling method, device and storage medium

Technical field

The present disclosure relates to the field of communications, and in particular to application program interface API calling methods and devices, and storage media.

Background technique

One of the goals of security research on application enablement of Subscriber-aware Northbound API access (SNA) (SNAAPP security) is to obtain authorization from the resource owner. Current regulations allow UEs to provide consent and/or withdraw consent for information shared with third parties (e.g. location, presence). In addition, in the SNA scenario, the Application Program Interface (API) caller (invoker) can request consent to obtain or set resources (such as location, presence) that it owns. However, in the API call scenario, there is no relevant mechanism to enable user authorization for API callers to obtain or set target resources.

Contents of the invention

In order to overcome problems existing in related technologies, embodiments of the present disclosure provide an application program interface API calling method and device, and a storage medium.

According to a first aspect of an embodiment of the present disclosure, an application program interface API calling method is provided, and the method is executed by a user equipment UE, including:

In response to the UE generating or updating the authorization configuration file, sending a setting request message to the access and mobility management function AMF; wherein the authorization configuration file is used to authorize other UEs or application functions AF to obtain, modify or set the UE The target resource, the setting request message is used to request to synchronize the updated file information content in the authorization configuration file to the unified data management UDM;

Receive a setting response message returned by the AMF; wherein the setting response message is used to notify the UE that the updated file information content has been synchronized to the UDM.

According to a second aspect of the embodiment of the present disclosure, an application program interface API calling method is provided, and the method is executed by the access and mobility management function AMF, including:

Receive a setting request message sent by the user equipment UE; wherein the setting request message is used to request that the updated file information content in the authorization configuration file of the UE be synchronized to the unified data management UDM, and the authorization configuration file is used to authorize other The UE or application function AF obtains, modifies or sets the target resource of the UE;

Synchronize the updated file information content to the UDM;

Send a setting response message to the UE; wherein the setting response message is used to notify the UE that the updated file information content has been synchronized to the UDM.

According to a third aspect of the embodiment of the present disclosure, an application program interface API calling method is provided, and the method is executed by a unified data management UDM, including:

Obtain updated file information content provided by the access and mobility management function AMF; wherein the updated file information content comes from the authorization configuration file of the user equipment UE, and the authorization configuration file is used to authorize other UEs or application functions AF to obtain, Modify or set the target resources of the UE;

Based on the updated file information content, determine the updated authorization configuration file;

Send the updated authorization profile to the common API architecture CAPIF function that subscribes to the authorization profile.

According to a fourth aspect of the embodiment of the present disclosure, an application program interface API calling method is provided, and the method is executed by an API caller, including:

An authorization request message sent to the general API architecture CAPIF authentication and authorization function; wherein the authorization request message is used to request authorization to obtain the target resource;

Receive the authorization response message returned by the CAPIF authentication authorization function; wherein the authorization response message is used to indicate whether the target resource owner agrees to the authorization request of the API caller;

If the authorization response message indicates that the target owner agrees to the authorization request of the API caller, based on the token provided by the CAPIF authentication authorization function, a service API call request message is sent to the API opening function AEF; wherein, the The token is used to authorize the API caller to obtain, modify or set the target resource;

Receive the service API call response message returned by the AEF; wherein the service API call response message carries the target resource.

According to the fifth aspect of the embodiment of the present disclosure, an application program interface API calling method is provided, the method is executed by the common API architecture CAPIF authorization function, including:

Receive the authorization request message sent by the API caller; wherein the authorization request message is used to request authorization to obtain the target resource;

Determine whether the target resource owner agrees to the authorization request of the API caller according to the authorization configuration file corresponding to the target resource owner;

Send an authorization response message to the API caller; wherein the authorization response message is used to indicate whether the target resource owner agrees to the API caller's authorization request.

According to a sixth aspect of the embodiment of the present disclosure, an application program interface API calling method is provided, and the method is executed by the API opening function AEF, including:

Receive the service API call request message sent by the API caller;

If the service API call request message carries a token, determine the verification result of the token; wherein the token is used to authorize the API caller to obtain, modify or set the target resource owner's target resource;

If the verification result indicates that the token is valid and the information in the service API call request message matches the information in the token, send a service API call response message to the API caller; wherein, The service API call response message carries the target resource.

According to the seventh aspect of the embodiment of the present disclosure, an application program interface API calling device is provided, which is characterized in that the device is applied to user equipment UE and includes:

The first sending module is configured to send a setting request message to the access and mobility management function AMF in response to the UE generating or updating the authorization configuration file; wherein the authorization configuration file is used to authorize other UEs or application functions AF Obtain, modify or set the target resource of the UE, and the setting request message is used to request to synchronize the updated file information content in the authorization configuration file to the unified data management UDM;

The first receiving module is configured to receive a setting response message returned by the AMF; wherein the setting response message is used to notify the UE that the updated file information content has been synchronized to the UDM.

According to an eighth aspect of the embodiment of the present disclosure, an application program interface API calling device is provided, and the device is applied to the access and mobility management function AMF, including:

The second receiving module is configured to receive a setting request message sent by the user equipment UE; wherein the setting request message is used to request to synchronize the updated file information content in the authorization configuration file of the UE to the unified data management UDM, so The authorization configuration file is used to authorize other UEs or application functions AF to obtain, modify or set the target resources of the UE;

A first synchronization module configured to synchronize the updated file information content to the UDM;

The second sending module is configured to send a setting response message to the UE; wherein the setting response message is used to notify the UE that the updated file information content has been synchronized to the UDM.

According to the ninth aspect of the embodiment of the present disclosure, an application program interface API calling device is provided, and the device is applied to unified data management UDM, including:

The acquisition module is configured to obtain updated file information content provided by the access and mobility management function AMF; wherein the updated file information content comes from the authorization configuration file of the user equipment UE, and the authorization configuration file is used to authorize other UEs Or apply function AF to obtain, modify or set the target resources of the UE;

The first determination module is configured to determine the updated authorization configuration file based on the updated file information content;

The third sending module is configured to send the updated authorization configuration file to the common API architecture CAPIF function that subscribes to the authorization configuration file.

According to a tenth aspect of the embodiment of the present disclosure, an application program interface API calling device is provided. The device is applied to an API caller and includes:

The fourth sending module is configured to send an authorization request message to the common API architecture CAPIF authentication and authorization function; wherein the authorization request message is used to request authorization to obtain the target resource;

The third receiving module is configured to receive the authorization response message returned by the CAPIF authentication authorization function; wherein the authorization response message is used to indicate whether the target resource owner agrees to the authorization request of the API caller;

The fifth sending module is configured to send the service API to the API opening function AEF based on the token provided by the CAPIF authentication authorization function if the authorization response message indicates that the target owner agrees to the authorization request of the API caller. Call request message; wherein the token is used to authorize the API caller to obtain, modify or set the target resource;

The fourth receiving module is configured to receive the service API call response message returned by the AEF; wherein the service API call response message carries the target resource.

According to an eleventh aspect of the embodiment of the present disclosure, an application program interface API calling device is provided. The device is applied to the universal API architecture CAPIF authentication and authorization function, including:

The fifth receiving module is configured to receive an authorization request message sent by the API caller; wherein the authorization request message is used to request authorization to obtain the target resource;

The second determination module is configured to determine whether the target resource owner agrees to the authorization request of the API caller according to the authorization configuration file corresponding to the target resource owner;

The sixth sending module is configured to send an authorization response message to the API caller; wherein the authorization response message is used to indicate whether the target resource owner agrees to the API caller's authorization request.

According to a twelfth aspect of the embodiment of the present disclosure, an application program interface API calling device is provided, and the device is applied to the API opening function AEF, including:

The sixth receiving module is configured to receive the service API call request message sent by the API caller;

The third determination module is configured to determine the verification result of the token if the service API call request message carries a token; wherein the token is used to authorize the API caller to obtain and modify Or set the target resource of the target resource owner;

A seventh sending module configured to send a service API to the API caller if the verification result indicates that the token is valid and the information in the service API call request message matches the information in the token. Call response message; wherein the service API call response message carries the target resource.

According to a thirteenth aspect of the embodiments of the present disclosure, a communication system is provided, including:

User equipment UE is used to execute the application program interface API calling method described in any one of the above UE side;

The access and mobility management function AMF is used to execute the application program interface API calling method described in any of the above AMF side;

Unified data management UDM, used to execute the application program interface API calling method described in any of the above UDM side;

The API caller is used to execute the application program interface API calling method described in any of the above API caller side;

The CAPIF authentication and authorization function is used to execute the application program interface API calling method described in any one of the above CAPIF authentication and authorization function sides;

The API opening function AEF is used to execute the application program interface API calling method described in any of the above AEF side.

According to a fourteenth aspect of the embodiment of the present disclosure, an application program interface API calling device is provided, including:

processor;

Memory used to store instructions executable by the processor;

Wherein, the processor is configured to execute any one of the above application program interface API calling methods on the UE side.

According to a fifteenth aspect of the embodiment of the present disclosure, an application program interface API calling device is provided, including:

processor;

Memory used to store instructions executable by the processor;

Wherein, the processor is configured to execute any one of the above application program interface API calling methods on the AMF side.

According to a sixteenth aspect of the embodiment of the present disclosure, an application program interface API calling device is provided, which is characterized in that it includes:

processor;

Memory used to store instructions executable by the processor;

Wherein, the processor is configured to execute the application program interface API calling method described in any one of the above UDM side.

According to a seventeenth aspect of the embodiment of the present disclosure, an application program interface API calling device is provided, including:

processor;

Memory used to store instructions executable by the processor;

Wherein, the processor is configured to execute any one of the above application program interface API calling methods on the API caller side.

According to an eighteenth aspect of the embodiment of the present disclosure, an application program interface API calling device is provided, including:

processor;

Memory used to store instructions executable by the processor;

Wherein, the processor is configured to execute the application program interface API calling method described in any one of the above CAPIF authentication and authorization function sides.

According to a nineteenth aspect of an embodiment of the present disclosure, an application program interface API calling device is provided, including:

processor;

Memory used to store instructions executable by the processor;

Wherein, the processor is configured to execute the application program interface API calling method described in any one of the above AEF side.

The technical solutions provided by the embodiments of the present disclosure may include the following beneficial effects:

In this disclosure, the purpose of enabling user authorization during the API calling process is achieved, and the usability is high.

It should be understood that the foregoing general description and the following detailed description are exemplary and explanatory only, and do not limit the present disclosure.

Description of drawings

The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the invention and together with the description serve to explain the principles of the invention.

Figure 1 is a schematic flowchart of an application program interface API calling method according to an exemplary embodiment.

Figure 2 is a schematic flowchart of another application program interface API calling method according to an exemplary embodiment.

Figure 3 is a schematic flowchart of another application program interface API calling method according to an exemplary embodiment.

Figure 4 is a schematic flowchart of another application program interface API calling method according to an exemplary embodiment.

Figure 5 is a schematic flowchart of another application program interface API calling method according to an exemplary embodiment.

Figure 6 is a schematic flowchart of another application program interface API calling method according to an exemplary embodiment.

Figure 7 is a schematic flowchart of another application program interface API calling method according to an exemplary embodiment.

Figure 8 is a schematic flowchart of another application program interface API calling method according to an exemplary embodiment.

Figure 9 is a block diagram of an application program interface API calling device according to an exemplary embodiment.

Figure 10 is a block diagram of another application program interface API calling device according to an exemplary embodiment.

Figure 11 is a block diagram of another application program interface API calling device according to an exemplary embodiment.

Figure 12 is a block diagram of another application program interface API calling device according to an exemplary embodiment.

Figure 13 is a block diagram of another application program interface API calling device according to an exemplary embodiment.

Figure 14 is a block diagram of another application program interface API calling device according to an exemplary embodiment.

Figure 15 is a structural block diagram of a communication system according to an exemplary embodiment.

Figure 16 is a schematic structural diagram of an application program interface API calling device according to an exemplary embodiment of the present disclosure.

Figure 17 is a schematic structural diagram of another application program interface API calling device according to an exemplary embodiment of the present disclosure.

Detailed ways

Exemplary embodiments will be described in detail herein, examples of which are illustrated in the accompanying drawings. When the following description refers to the drawings, the same numbers in different drawings refer to the same or similar elements unless otherwise indicated. The implementations described in the following exemplary embodiments do not represent all implementations consistent with the invention. Rather, they are merely examples of apparatus and methods consistent with aspects of the invention as detailed in the appended claims.

The terminology used in this disclosure is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. As used in this disclosure and the appended claims, the singular forms "a," "the" and "the" are intended to include the plural forms as well, unless the context clearly dictates otherwise. It will also be understood that the term "and/or" as used herein refers to and includes any and all possible combinations of at least one associated listed item.

It should be understood that although the terms first, second, third, etc. may be used in this disclosure to describe various information, the information should not be limited to these terms. These terms are only used to distinguish information of the same type from each other. For example, without departing from the scope of the present disclosure, the first information may also be called second information, and similarly, the second information may also be called first information. Depending on the context, the word "if" as used herein may be interpreted as "when" or "when" or "in response to determining."

In this disclosure, it can be assumed that the user equipment (User Equipment, UE) is the target resource owner, and the API caller is other UE or application function (Application function, AF) in the SNA scenario. The API caller obtains the target resource of the target resource owner based on user authorization, where the API caller is the target resource owner.

The following first introduces the application program interface API calling method provided by the present disclosure from the UE side.

An embodiment of the present disclosure provides an application program interface API calling method. Refer to Figure 1. Figure 1 is a flow chart of an application program interface API calling method according to an embodiment. It can be executed by a UE, and the UE is the target. Resource owner, the method can include the following steps:

In step 101, in response to the UE generating or updating the authorization profile, a setting request message is sent to the access and mobility management function AMF.

In this disclosed embodiment, the default Common API Framework for 3GPP Northbound APIs, CAPIF) function can subscribe to UDM notifications from Unified Data Management (Unified Data Management, UDM), and the UDM notifications are used to indicate the occurrence of authorization profiles. updated. Among them, CAPIF functions include but are not limited to CAPIF authentication and authorization functions, API exposure functions (API Exposure Function, AEF). Specifically, CAPIF authentication and authorization functions can include but are not limited to CAPIF core functions (CAPIF Core Function, CCF) or authorization functions ( Authorization Function), or the CAPIF authentication and authorization function can be implemented through network functions deployed by the operator, including but not limited to Network Exposure Function (NEF).

In an embodiment of the present disclosure, the authorization profile is used to authorize other UEs or application functions AF to obtain, modify or set target resources of the UE.

When the UE generates an authorization configuration file or updates the generated authorization configuration file, it can send a setting request message to the Access and Mobility Management Function (AMF). The setting request message is used to Request that the updated file information content in the authorization configuration file be synchronized to UDM.

In a possible implementation, the UE can send a first Non-Access Stratum (NAS) message based on the N1 interface to the AMF.

In a possible implementation, the authorization configuration file includes at least one of the following information: the token type that needs to be authorized to the API caller; the identity of the API caller; the identity of the expected service API; the API caller can request to obtain The identifier of the service; the identifier of the service operation that the API caller can request to obtain; the identifier of the target resource that the API caller can request to obtain; the identifier of the target resource owner; the API caller should be in when accessing the target resource. geographical scope; authorization expiration time point.

Among them, the token types that need to be authorized to the API caller include but are not limited to refresh token (refresh token) and access token (access token).

The identity of the API caller can include but is not limited to the following three categories:

The first category is the terminal identification of the API caller, including but not limited to the API caller's IMS Private Identity (IP Multimedia Private Identity, IMPI), the API caller's Generic Public Subscription Identifier (GPSI), API The caller’s Application layer ID (Application layer ID), the API caller’s AKMA key identifier (A-KID), the API caller’s Bootstrapping Transaction Identifier (B-TID), or the API The caller's Subscription Concealed Identifier (SUCI).

The second category is Application Function ID or Application ID.

The third category is Application Function Group ID or Application Group ID.

The identity of the expected service API refers to the identity of the API expected by the UE to serve the API caller.

The identifier of the service that the API caller can request may refer to the identifier of the service that the API caller can request and authorized by the target resource owner. The services that the API caller can request do not exceed the service range that the UE can provide.

The identifier of the service operation that the API caller can request may refer to the identifier of the service operation that the API caller can request and authorized by the target resource owner. The service operations that the API caller can request do not exceed the scope of service operations that the UE can provide.

The identification of the target resource can identify the location information of the target resource owner, quality of service (Quality of Service, QoS) information, etc.

The UE serves as the target resource owner, and the target resource owner's identity can be the terminal identity of the UE, including but not limited to the UE's IMPI, GPSI, application layer ID (Application layer ID), A-KID, B-TID or SUCI.

The geographical area that the API caller should be in when accessing the target resource refers to the geographic area where the API caller is authorized to access the target resource.

The authorization expiration time point may refer to the authorization expiration time point configured by the UE for the API caller.

In step 102, receive the setting response message returned by the AMF.

In this embodiment of the present disclosure, the setting response message is used to notify the UE that the updated file information content has been synchronized to the UDM.

In a possible implementation, the UE may receive a second NAS message based on the N1 interface returned by the AMF, where the second NAS message carries the setting response message.

In the above embodiment, the user equipment can send a setting request message to the AMF after generating or updating the authorization configuration file, so as to send the updated file information content to the AMF. The AMF can synchronize it to the UDM in order to subscribe to the CAPIF function of the authorization configuration file. The latest authorization configuration file can be obtained from UDM in a timely manner. When the API caller requests authorization, user authorization is enabled and the availability is high.

The following introduces the application program interface API calling method provided by this disclosure from the AMF side.

The embodiment of the present disclosure provides an application program interface API calling method. Refer to Figure 2. Figure 2 is a flow chart of an application program interface API calling method according to an embodiment. It can be executed by AMF. The method can include Following steps:

In step 201, a setting request message sent by the user equipment UE is received.

In the embodiment of the present disclosure, the setting request message is used to request to synchronize the updated file information content in the authorization configuration file of the UE to the unified data management UDM. The authorization configuration file is used to authorize other UEs or application functions AF to obtain, Modify or set the target resources of the UE.

In a possible implementation, the AMF may receive the first NAS message based on the N1 interface sent by the UE.

The second category is Application Function ID or Application ID.

The third category is Application Function Group ID or Application Group ID.

In step 202, the updated file information content is synchronized to the UDM.

In a possible implementation, the AMF can call a target service operation to the UDM. The target service operation is used to synchronize the updated file information content to the UDM. Optionally, in the target service operation Can carry updated file information content.

Among them, the target service operation can be the Nudm_ParameterProvision_Update service operation.

In step 203, a setting response message is sent to the UE.

In a possible implementation, the AMF may send a second NAS message based on the N1 interface to the UE, where the second NAS message carries the setting response message.

In the above embodiment, AMF can synchronize the updated file information content to UMD in a timely manner, which is simple to implement, achieves the purpose of enabling user authorization during the API call process, and has high availability.

Next, we will introduce the application program interface API calling method provided by this disclosure from the UDM side.

The embodiment of the present disclosure provides an application program interface API calling method. Refer to Figure 3. Figure 3 is a flow chart of an application program interface API calling method according to an embodiment. It can be executed by UDM. The method can include Following steps:

In step 301, updated file information content provided by the access and mobility management function AMF is obtained.

In this embodiment of the present disclosure, the updated file information content comes from the authorization configuration file of the user equipment UE, which is used to authorize other UEs or application functions AF to obtain, modify or set the target resources of the UE.

The second category is Application Function ID or Application ID.

The third category is Application Function Group ID or Application Group ID.

In step 302, an updated authorization configuration file is determined based on the updated file information content.

In a possible implementation, UDM can store or update the authorization configuration file on a unified data warehouse function (Unified Data Repository, UDR), and determine the updated authorization configuration file.

Specifically, the UDM can call the Nudr_DM_Update service operation to store or update the authorization configuration file on the UDR.

In step 303, the updated authorization configuration file is sent to the common API architecture CAPIF function that subscribes to the authorization configuration file.

In this embodiment of the present disclosure, the UDM may receive in advance a subscription request message sent by the CAPIF function, where the subscription request message is used to request subscription to the authorization profile corresponding to the UE. Correspondingly, when the UDM determines to accept the subscription request of the CAPIF function, after obtaining the authorization configuration file corresponding to the UE, the UDM sends the authorization configuration file corresponding to the UE to the CAPIF function. .

In addition, after determining the updated authorization configuration file, the UDM may send the updated authorization configuration file to the CAPIF function that subscribes to the authorization configuration file.

In this disclosed embodiment, the CAPIF function of the subscription authorization profile includes but is not limited to the CAPIF authentication and authorization function and the API Exposure Function (AEF). Specifically, the CAPIF authentication and authorization function may include but is not limited to the CAPIF core function ( CAPIF Core Function (CCF) or authorization function (Authorization Function), or the CAPIF authentication and authorization function can be implemented through network functions deployed by operators, including but not limited to NEF.

In the above embodiment, UDM can promptly notify the CAPIF function that subscribes to the authorization profile, so that the CAPIF function enables user authorization when the API caller requests to obtain authorization, and the availability is high.

Next, the application program interface API calling method provided by the disclosure will be introduced from the API caller (invoker) side.

The embodiment of the present disclosure provides an application program interface API calling method. Refer to Figure 4. Figure 4 is a flow chart of an application program interface API calling method according to an embodiment. It can be executed by the API caller. API calling The party may be another UE or AF different from the target resource owner. The method may include the following steps:

In step 401, an authorization request message is sent to the common API architecture CAPIF authentication and authorization function.

In the embodiment of the present disclosure, the CAPIF authentication and authorization function may include but is not limited to CCF or authorization function, or the CAPIF authentication and authorization function may be implemented through network functions deployed by the operator, including but not limited to NEF. The authorization request message is used to request authorization to obtain the target resource.

In one example, the authorization request message includes at least one of the following information: the identity of the API caller; the identity of the service API requested by the API caller; the identity of the service requested by the API caller; the API The identifier of the service operation requested by the caller; the identifier of the target resource requested by the API caller; and the identifier of the owner of the target resource.

Among them, the identifier of the API caller can include but is not limited to the following three categories:

The second category is Application Function ID or Application ID.

The third category is Application Function Group ID or Application Group ID.

Among them, the identification of the target resource can identify the location information, QoS information, etc. of the target resource owner.

Among them, the identifier of the service API requested by the API caller may refer to the identifier of the API authorized by the owner of the target resource requested by the API caller.

Wherein, the identifier of the service requested by the API caller may refer to the identifier of the service authorized by the API caller requested by the target resource owner.

Wherein, the identifier of the service operation requested by the API caller may refer to the identifier of the service operation authorized by the API caller requested by the target resource owner.

Among them, the above-mentioned UE in this disclosure is the target resource owner. Correspondingly, the identification of the target resource owner can be the terminal identification of the UE, including but not limited to the UE's IMPI, GPSI, application layer ID (Application layer ID), A-KID, B-TID or SUCI.

In step 402, receive the authorization response message returned by the CAPIF authentication and authorization function.

The authorization response message is used to indicate whether the target resource owner agrees to the authorization request of the API caller.

In one example, the authorization response message is used to indicate at least one of the following: the type of token that the UE needs to obtain; whether the UE agrees to provide the specified authorization for the API caller; and the UE permanently agrees to be the The API caller provides the designated authorization; the UE permanently disagrees to provide the API caller with the designated authorization; the API caller needs to perform new authorization each time it accesses the target resource; the UE The UE agrees to provide the specified authorization to the API caller according to the authorization conditions; the UE does not agree to provide the specified authorization to the API caller according to the authorization conditions.

Among them, token types include but are not limited to refresh token (refresh token) and access token (access token).

Authorization conditions include but are not limited to the API caller being in a specified geographical area.

For example, the API caller agrees to provide the specified authorization to the API caller when it is located in the specified geographical range, or the API caller does not agree to provide the specified authorization to the API caller when it is located in the specified geographical range.

The above is only an exemplary description, and other contents indicated by the authorization response message shall fall within the protection scope of this disclosure.

In one example, the authorization response message may directly carry a token, and the token is used to obtain, modify, or set the target resource.

In another example, the authorization response message carries the authorization code, and the API caller can send the first token request message requesting to obtain the token to the CAPIF authentication authorization function, wherein in the first token request message Bring the authorization code. Further, the CAPIF authentication and authorization function can send a token response message carrying the token to the API caller based on the authorization code.

In one example, the token includes but is not limited to at least one of the following information: token type; the identity of the CAPIF authentication and authorization function; the identity of the API caller; the identity of the expected service API; the API caller The identification of the service requested; the identification of the service operation requested by the API caller; the identification of the target resource; the identification of the owner of the target resource; the geographical range in which the API caller accesses the target resource. ;The identification of the AEF; the validity expiration time point of the token.

Among them, the identifiers of CAPIF authentication and authorization functions include but are not limited to the following three categories:

The first category is domain name information, including but not limited to the fully qualified domain name (FQDN) of the CAPIF authentication and authorization function, the address of the CAPIF authentication and authorization function, including but not limited to the Internet Protocol (Internet Protocol) of the CAPIF authentication and authorization function. IP) address.

The second category is the network function ID (Network Function ID) or network function entity ID (Network function instance ID or NF instance ID) of the CAPIF authentication and authorization function.

The third category is the Network Function Set ID (Network Function Set ID) of the CAPIF authentication and authorization function, etc.

The second category is Application Function ID or Application ID.

The third category is Application Function Group ID or Application Group ID.

The UE is the target resource owner. Accordingly, the identity of the target resource owner may be the terminal identity of the UE, including but not limited to the UE's IMPI, GPSI, application layer ID, A-KID, B-TID or SUCI.

The identifier of the expected service API may refer to the identifier of the API expected by the CAPIF authentication and authorization function to serve the API caller.

The identifier of the service requested by the API caller may refer to the identifier of the service authorized by the API caller requested by the target resource owner.

The identifier of the service operation requested by the API caller may refer to the identifier of the service operation authorized by the API caller requested by the target resource owner.

Among them, AEF's logo includes but is not limited to the following three categories:

The first category is AEF’s domain name information, including but not limited to AEF’s FQDN, IP address, etc.

The second category is AEF’s network function entity identifier (Network Function instance ID or NF instance ID) or network function identifier (Network Function ID).

The third category is Network Function Set ID.

In step 403, if the authorization response message indicates that the target owner agrees to the authorization request of the API caller, based on the token provided by the CAPIF authentication authorization function, a service API call request message is sent to the API opening function AEF. .

In this embodiment of the present disclosure, the API caller may determine the AEF that sends the service API call request message based on local configuration information or the API caller identification in the token. Then, the service API call request message is sent to the AEF.

In this embodiment of the present disclosure, the service API call request message includes at least one of the following: the identity of the API caller; the identity of the target resource owner; the identity of the target resource; the API caller's request to obtain The identifier of the service API; the identifier of the service requested by the API caller; the identifier of the service operation requested by the API caller; token.

The second category is Application Function ID or Application ID.

The third category is Application Function Group ID or Application Group ID.

Among them, the UE serves as the target resource owner, and the identification of the target resource owner can be the terminal identification of the UE, including but not limited to the UE's IMPI, GPSI, application layer ID (Application layer ID), A-KID, B-TID or SUCI.

The identification of the target resource can identify the location information, QoS information, etc. of the target resource owner.

The identity of the service API requested by the API caller may refer to the identity of the service API that the API caller requests to authorize from the target resource owner.

The specific information content of the token has been introduced in the above embodiment and will not be described again here.

In a possible implementation, if the CAPIF authentication and authorization function provides the API caller with the first token whose token type is a refresh token, the API caller will ask the CAPIF authentication and authorization function when it needs to obtain the target resource. Send a second token request message carrying the first token. Wherein, the second token request message is used to request to obtain a second token whose token type is an access token.

Further, the API caller may receive the second token whose token type returned by the CAPIF authentication and authorization function is an access token. and send the service API call request message to AEF based on the second token.

In another possible implementation, if the CAPIF authentication and authorization function provides a second token whose token type is an access token, the API caller can directly send a message to the AEF based on the second token. The service API call request message.

In step 404, receive the service API call response message returned by the AEF.

Wherein, if AEF determines that the verification result of the token is valid and the information in the service API call request message matches the information in the token, it can send a service API call response to the API caller. Message, which carries the target resource requested by the API caller.

In the above embodiment, the API caller can obtain the target resource of the target resource owner based on user authorization, where the API caller is the target resource owner, achieving the purpose of enabling user authorization during the API call process, and achieving high availability.

In some optional embodiments, when the API caller determines that it needs to obtain the target resource, it can first determine whether there is an authorized token or authorization code locally.

In a possible implementation, when the API caller has an authorized token locally and the token is the second token, the API caller can directly send a service API call request message to AEF and receive the service API call returned by the AEF. Respond to the message.

The specific implementation manner is similar to the above-mentioned

steps

403 and 404 and will not be described again here.

In another possible implementation, when the API caller has an authorization code locally, the API caller can send a first token request message requesting to obtain the token to the CAPIF authentication authorization function; wherein, the first token The authorization code is carried in the card request message. Further, the API caller may receive a token response message carrying the token returned by the CAPIF authentication and authorization function.

When the CAPIF authentication and authorization function provides the API caller with the first token whose token type is the refresh token through the token response message, the API caller sends all the required information to the CAPIF authentication and authorization function when it needs to obtain the target resource. the second token request message, subsequently sending a service API call request message to AEF based on the second token, and receiving the service API call response message returned by the AEF.

If the CAPIF authentication and authorization function provides the API caller with a second token whose token type is an access token through the token response message, the API caller sends a service API call request message to AEF based on the second token, and Receive the service API call response message returned by the AEF.

In the above embodiment, the API caller can directly obtain the target resource from AEF in the above manner, or obtain the target resource from AEF after obtaining the token from CAPIF, without repeatedly requesting authorization from the target resource owner, saving information. Make resources highly available.

In some optional embodiments, the API caller can perform mutual identity authentication with the CAPIF authentication and authorization function in advance. Among them, the CAPIF authentication and authorization functions may include but are not limited to CAPIF core functions and authorization functions, or the CAPIF authentication and authorization functions may be implemented through network functions deployed by operators, including but not limited to NEF.

In a possible implementation, the API caller can perform mutual identity authentication with the CAPIF authentication and authorization function based on the certificate.

In another possible implementation, the API caller can perform mutual identity authentication with the CAPIF authentication and authorization function based on the general authentication mechanism GBA.

In another possible implementation, the API caller can perform mutual identity authentication with the CAPIF authentication and authorization function based on the AKMA mechanism.

In one example, the CAPIF authentication and authorization function is the core function of CAPIF. The API caller can authenticate the identity of the CAPIF core function based on the certificate. The CAPIF core function can authenticate the API caller based on the GBA, AKMA mechanism or certificate.

Among them, the core function of CAPIF can generate a certificate for the API caller after the API caller signs an online contract.

In another example, the CAPIF authentication and authorization function is an authorization function. The API caller can authenticate the identity of the authorization function based on the certificate. The authorization function can authenticate the API caller based on the GBA, AKMA mechanism or certificate.

Among them, certificates can be assigned by CAPIF core functions.

In this disclosed embodiment, after the API caller passes the mutual identity authentication with the CAPIF authentication and authorization function, the API caller can establish a first secure connection with the CAPIF authentication and authorization function through TLS.

Further, the API caller can send the authorization request message to the CAPIF authentication and authorization function through the first secure connection.

The API caller can receive the authorization response message sent by the CAPIF authentication and authorization function through the first secure connection.

In the above embodiment, the API caller can perform mutual identity authentication with the CAPIF authentication and authorization function. After the identity authentication is passed, a first secure connection is established, thereby ensuring the safe delivery of the authorization request message and the authorization response message, with high availability.

In some optional embodiments, the API caller can perform mutual identity authentication with the AEF in advance.

In a possible implementation, the API caller can perform mutual identity authentication with the AEF based on the certificate.

In another possible implementation, the API caller can perform mutual identity authentication with the AEF based on GBA.

In another possible implementation, the API caller can perform mutual identity authentication with the AEF based on the AKMA mechanism.

In one example, the API caller can authenticate the AEF based on the certificate, and the AEF can authenticate the API caller based on the GBA, AKMA mechanism or certificate.

Among them, certificates can be assigned by CAPIF core functions.

In this disclosed embodiment, after the API caller passes mutual identity authentication with AEF, it can establish a second secure connection with AEF through TLS.

Further, the API caller sends a service API call request message carrying the token to the AEF through the second secure connection.

The API caller can receive the service API call response message returned by the AEF through the second secure connection.

Of course, the token is a second token, and the token type of the second token is an access token.

In the above embodiment, the API caller can perform mutual identity authentication with AEF, and after the identity authentication is passed, a second secure connection is established, thereby ensuring safe transfer of tokens and target resources with high availability.

Next, we will introduce the application program interface API calling method provided by this disclosure from the CAPIF authentication and authorization function side.

The embodiment of the present disclosure provides an API calling method, as shown in Figure 5. Figure 5 is a flow chart of an API calling method according to an embodiment, which can be executed by the CAPIF authentication and authorization function, wherein the CAPIF authentication and authorization function can Including but not limited to CAPIF core functions and authorization functions, or the CAPIF authentication and authorization functions can be implemented through network functions deployed by operators. This disclosure is not limited to this. The method may include the following steps:

In step 501, receive the authorization request message sent by the API caller.

In this embodiment of the present disclosure, the authorization request message is used to request authorization to obtain the target resource. The API caller may be another UE or an AF different from the target resource owner. The target resource includes but is not limited to the location information, QoS information, etc. of the UE as the owner of the target resource.

In a possible implementation, the authorization request message includes at least one of the following information: the identity of the API caller; the identity of the service API requested by the API caller; the identity of the service requested by the API caller; The identification of the service operation requested by the API caller; the identification of the target resource requested by the API caller; and the identification of the owner of the target resource.

The specific information content in the authorization request message and the authorization configuration file is the same as the information content introduced in the above embodiment and will not be described again here.

In step 502, determine whether the target resource owner agrees to the authorization request of the API caller based on the authorization configuration file corresponding to the target resource owner.

In the embodiment of the present disclosure, when subscribing to the authorization configuration file, the CAPIF authentication and authorization function obtains the authorization configuration file or the updated authorization configuration file from UDM. Therefore, it can be determined based on the latest authorization configuration file whether the target resource owner agrees to the authorization request of the API caller.

In step 503, an authorization response message is sent to the API caller.

In a possible implementation, if the target resource owner agrees to the API caller's authorization request, the authorization response message may directly carry a token; wherein the token is used to authorize the API caller. Get, modify, or set the target resource.

In another possible implementation, if the target resource owner agrees to the API caller's authorization request, the authorization response message may carry an authorization code. Further, the CAPIF authentication and authorization function may receive a first token request message sent by the API caller to request a token. Wherein, the first token request message carries the authorization code, and the token is a token used to obtain, modify or set the target resource. After passing the authorization code verification, the CAPIF authentication and authorization function sends a token response message carrying the token to the API caller.

The specific explanation of the information content included in the token has been introduced in the above embodiment and will not be described again here.

In an embodiment of the present disclosure, if it is determined that the target resource owner agrees to the authorization request of the API caller based on the authorization profile, the CAPIF authentication authorization function can generate a command bound by the authorization profile for the API caller. Card. And the generated token type is access token or refresh token.

In the embodiment of the present disclosure, if it is determined that the target resource owner agrees to the authorization request of the API caller according to the configuration authorization file corresponding to the target resource owner, and the CAPIF authentication authorization function is the API caller What is provided is the first token whose token type is a refresh token. For example, if the CAPIF authentication and authorization function provides the first token to the API caller through an authorization response message or a token response message, then the CAPIF authentication and authorization function can Receive the second token request message sent when the API caller needs to obtain the target resource. Wherein, the second token request message is used to request to obtain a second token whose token type is an access token, and the second token request message carries the first token.

In this disclosed embodiment, the CAPIF authentication and authorization function may, based on the second token request message, verify that the first token is legal, and then send the API caller the token type of the access token. Second token. The API caller may send a service API call request message to the AEF based on the second token.

If the target resource owner agrees to the API caller's authorization request, and the CAPIF authentication and authorization function provides the API caller with a second token whose token type is an access token, such as CAPIF authentication and authorization. The function provides the API caller with the second token through an authorization response message or a token response message, and the API caller can directly send a service API call request message to the AEF based on the second token.

In the above embodiment, the CAPIF authentication and authorization function can obtain the latest authorization configuration file from UDM. After receiving the authorization request message from the API caller, it determines whether the UE agrees to provide authorization based on the latest authorization configuration file, and then sends the authorization response message. For API callers, the purpose of enabling user authorization during the API call process is achieved, with high availability.

In some optional embodiments, the CAPIF authentication and authorization function can perform mutual identity authentication with the API caller in advance. Among them, the CAPIF authentication and authorization functions may include but are not limited to CAPIF core functions and authorization functions, or the CAPIF authentication and authorization functions may be implemented through network functions deployed by operators, including but not limited to NEF. The API caller can be a UE or an AF, where the UE is a UE different from the owner of the target resource.

In a possible implementation, the CAPIF authentication and authorization function can perform mutual identity authentication with the API caller based on the certificate.

In another possible implementation, the CAPIF authentication and authorization function can perform mutual identity authentication with the API caller based on the general authentication mechanism GBA.

In another possible implementation, the CAPIF authentication and authorization function can perform mutual identity authentication with the API caller based on the AKMA mechanism.

Among them, the core function of CAPIF can generate a certificate for the API caller after the API caller signs an online contract. That is, the UE's certificate is assigned to the UE by the CAPIF authentication and authorization function.

Among them, certificates can be assigned by CAPIF core functions.

In this disclosed embodiment, after the CAPIF authentication and authorization function passes mutual identity authentication with the API caller, it can establish a first secure connection with the CAPIF authentication and authorization function through TLS.

Further, the CAPIF authentication and authorization function can receive the authorization request message sent by the API caller through the first secure connection.

The CAPIF authentication and authorization function can send an authorization response message to the API caller through the first secure connection.

In the above embodiment, the CAPIF authentication and authorization function can perform mutual identity authentication with the API caller. After the identity authentication is passed, a first secure connection is established, thereby ensuring the safe delivery of the authorization request message and the authorization response message, with high availability.

Next, we will introduce the application program interface API calling method provided by this disclosure from the AEF side.

The embodiment of the present disclosure provides an API calling method, as shown in Figure 6. Figure 6 is a flow chart of an API calling method according to an embodiment, which can be executed by AEF. The method can include the following steps:

In step 601, receive a service API call request message sent by the API caller.

In the embodiment of the present disclosure, the API caller may be other UE or AF different from the UE.

In one example, the service API call request message includes at least one of the following: the identity of the API caller; the identity of the target resource owner; the identity of the target resource; the service API requested by the API caller. The identification of the service requested by the API caller; the identification of the service operation requested by the API caller; token.

The token is used to authorize the API caller to obtain, modify or set the target resource of the target resource owner.

The specific information content of the service API call request message has been introduced in the above embodiment and will not be described again here.

In step 602, if the service API call request message carries a token, determine the verification result of the token.

The token is used to authorize the API caller to obtain the target resource of the target resource owner. The information included in the token has been introduced in the above embodiment and will not be described again here.

In one example, the AEF may verify the integrity of the token based on the public key of the CAPIF authentication and authorization function, and determine the verification result.

In one example, the AEF may send the token to the CAPIF authentication and authorization function, and receive a verification result returned by the CAPIF authentication and authorization function to verify the integrity of the token.

It should be noted here that when the service API call request message carries a second token whose token type is an access token, AEF determines the verification result of the second token.

In step 603, if the verification result indicates that the token is valid and the information in the service API call request message matches the information in the token, send a service API call response message to the API caller .

In one example, the information in the service API call request message includes the identity of the API caller; the identity of the target resource owner; the identity of the target resource; the service API identity requested by the API caller; The identifier of the service requested by the API caller; the identifier of the service operation requested by the API caller.

AEF needs to compare whether the information in the service API call request message matches the information in the token. The verification result indicates that the token is valid, and the information in the service API call request message matches the information in the token. Matching, that is, if the service API request initiated by the API caller is within the permission range of the token, a service API call response message is sent to the API caller. Wherein, the service API call response message carries the target resource.

Of course, AEF needs to pre-authenticate the first identity information of the API caller, and determine the verification result of the token on the basis of completing the identity authentication, as well as the information in the service API call request message and the token. The included information matches.

The first identity information includes but is not limited to the identity of the API caller. Optionally, it may include the API caller's A-KID, the API caller's B-TID, the API caller's SUPI, and the API caller's GPSI.

In the above embodiment, after AEF receives the API call request message sent by the API caller, if the service API call request message carries a token, AEF can verify the token, and after the verification result indicates that the token is valid, send it to all The API caller sends a service API call response message, which carries the target resource. The purpose of enabling user authorization to provide target resources to API callers during the API call process is achieved, with high availability.

In some optional embodiments, if the verification result indicates that the token is invalid, AEF may terminate the API calling process.

In the above embodiment, if the AEF determines that the token is invalid, the API calling process can be terminated in a timely manner to ensure the security and reliability of the API calling process.

In some optional embodiments, if the token is not carried in the service API call request message, the AEF may send a service API call rejection message to the API caller.

Optionally, the service API call rejection message can carry the rejection reason, and the rejection reason can be that the token is not carried.

In the above embodiment, if the service API call request message does not carry the token, AEF can reject the API caller's request, which also ensures the security and reliability of the API call process.

In some optional embodiments, in addition to verifying the integrity of the token, AEF also needs to pre-authenticate the first identity information of the API caller. The first identity information includes but is not limited to the identity of the API caller. Optionally, it can include the A-KID of the API caller, the B-TID of the API caller, the SUPI of the API caller, and the GPSI of the API caller.

Further, if the authenticated first identity information is the same as the identity of the API caller in the certificate, it is determined that the verification result of the token is valid, but the information in the service API call request message is different from the identity of the API caller in the certificate. If the information in the token does not match, that is, the service API call request initiated by the API caller exceeds the allowed range of the token, AEF can send a service API call rejection message to the API caller.

If the authenticated first identity information is the same as the identity of the API caller in the certificate, it is determined that the verification result of the token is valid, and the information in the service API call request message is consistent with the token If the information in the token matches, that is, the service API call request initiated by the API caller does not exceed the allowed range of the token, AEF can send a service API call response message to the API caller.

In the above embodiment, AEF can reject or agree to the service API call request initiated by the API caller when the above conditions are met, ensuring the security and reliability of the API call process.

In some optional embodiments, AEF can perform mutual identity authentication with the API caller in advance.

In a possible implementation, AEF can perform mutual identity authentication with the API caller based on the certificate.

In another possible implementation, AEF can perform mutual identity authentication with the API caller based on GBA.

In another possible implementation, AEF can perform mutual identity authentication with the API caller based on the AKMA mechanism.

Among them, certificates can be assigned by CAPIF core functions.

In this disclosed embodiment, after the AEF passes the mutual identity authentication with the API caller, it can establish a second secure connection with the API caller through TLS.

Further, the AEF receives the service API call request message sent by the API caller through the second secure connection.

The AEF may send a service API call response message to the API caller through the second secure connection.

In the above embodiment, AEF can perform mutual identity authentication with the API caller. After the identity authentication is passed, a second secure connection is established, thereby ensuring safe transfer of tokens and target resources with high availability.

An embodiment of the present disclosure provides an API calling method. Refer to Figure 7. Figure 7 is a flow chart of an API calling method according to an embodiment. The method may include the following steps:

In step 700 (not shown in Figure 7), the CAPIF function may target a UDM notification message for a resource authorization file update.

Among them, CAPIF functions include but are not limited to CAPIF authentication and authorization functions, API exposure functions (API Exposure Function, AEF). Specifically, CAPIF authentication and authorization functions can include but are not limited to CAPIF core functions (CAPIF Core Function, CCF) or authorization functions ( Authorization Function), or the CAPIF authentication and authorization function can be implemented through network functions deployed by the operator, including but not limited to Network Exposure Function (NEF).

In step 701, in response to the UE generating or updating the authorization profile, the UE sends a setup request message to the access and mobility management function AMF.

In an embodiment of the present disclosure, the UE may send a setting request message to the AMF through the 5G Radio Access Network (NG-RAN) (not shown in Figure 7).

In the embodiment of the present disclosure, the authorization profile is used to authorize other UEs or application functions AF to obtain, modify or set target resources of the UE.

The specific information content of the authorization configuration file has been introduced in the above embodiment and will not be described again here.

In step 702, AMF synchronizes the updated file information content to UDM.

In step 703, UDM determines the updated authorization configuration file based on the updated file information content.

In step 704, the AMF sends a setting response message to the UE.

In step 705, the UDM sends the updated authorization configuration file to the common API architecture CAPIF function that subscribes to the authorization configuration file.

Of course, after the CAPIF function subscribes to the authorization profile, it can unsubscribe from the authorization profile as needed, and UDM will no longer send UDM notification messages to the unsubscribed CAPIF function.

An embodiment of the present disclosure provides an API calling method. Refer to Figure 8. Figure 8 is a flow chart of an API calling method according to an embodiment. The method may include the following steps:

In step 801, the API caller and the CAPIF authentication and authorization function perform mutual identity authentication.

In embodiments of the present disclosure, the API caller may be other UEs different from the target resource owner, or the API caller may be AF.

The identity authentication method has been introduced on the API caller side and the CAPIF authentication and authorization function side. The steps are described here.

In step 802, the API caller establishes a first secure connection with the CAPIF authentication and authorization function.

In step 803, the API caller sends an authorization request message to the CAPIF authentication and authorization function through the first secure connection.

The authorization request message is used to request authorization to obtain the target resource.

In one example, the authorization request message includes at least one of the following information: the identity of the API caller; the identity of the service API requested by the API caller; the identity of the service requested by the API caller; The identifier of the service operation requested by the API caller; the identifier of the target resource requested by the API caller; and the identifier of the owner of the target resource.

The specific information content of the authorization request message has been introduced in the above embodiment and will not be described again here.

In step 804, the CAPIF authentication and authorization function determines whether the target resource owner agrees to the authorization request of the API caller based on the authorization configuration file corresponding to the target resource owner.

In step 805, the CAPIF authentication and authorization function sends an authorization response message to the API caller through the first secure connection.

Wherein, the authorization response message is used to indicate whether the target resource owner agrees to the authorization request of the API caller.

The specific information content included in the authorization response message has been introduced in the above embodiment and will not be described again here.

In this embodiment of the present disclosure, if the target resource owner agrees to the API caller's authorization request, the authorization response message carries the authorization code.

In step 806, the API caller sends a first token request message requesting to obtain a token to the CAPIF authorization authentication function through the first secure connection.

Wherein, the first token request message carries the authorization code, and the token is a token used to obtain, modify or set the target resource.

The specific information content will not be repeated again.

In step 807, after passing the authorization code verification, the CAPIF authentication and authorization function sends a token response message carrying the token to the API caller through the first secure connection.

In this disclosed embodiment, if the target resource owner agrees to the authorization request of the API caller, and the CAPIF authentication authorization function provides the API caller with the first token type of refresh token, Token, for example, the CAPIF authentication and authorization function provides the first token to the API caller through an authorization response message or a token response message, then the CAPIF authentication and authorization function can receive when the API caller needs to obtain the target resource. The second token request message sent. Wherein, the second token request message is used to request to obtain a second token whose token type is an access token, and the second token request message carries the first token.

In step 808, the API caller and AEF perform mutual identity authentication.

The specific authentication method has been introduced in the above embodiment and will not be described again here.

In step 809, the API caller establishes a second secure connection with the AEF.

In step 810, the API caller sends a service API call request message to the AEF through the second secure connection.

Wherein, the token is used to authorize the API caller to obtain, modify or set the target resource of the target resource owner.

In step 811, if the service API call request message carries a token, the AEF determines the verification result of the token.

In step 812, if the verification result indicates that the token is valid and the information in the service API call request message matches the information in the token, AEF sends a service API call response to the API caller. information.

Wherein, the service API call response message carries the target resource.

In the above embodiment, the purpose of enabling user authorization during the API calling process is achieved, and the usability is high.

Corresponding to the foregoing application function implementation method embodiments, the present disclosure also provides an application function implementation device embodiment.

Referring to Figure 9, Figure 9 is a block diagram of an application program interface API calling device according to an exemplary embodiment. The device is applied to user equipment UE and includes:

The first sending module 901 is configured to send a setting request message to the access and mobility management function AMF in response to the UE generating or updating an authorization configuration file; wherein the authorization configuration file is used to authorize other UEs or application functions. AF obtains, modifies or sets the target resource of the UE, and the setting request message is used to request to synchronize the updated file information content in the authorization configuration file to the unified data management UDM;

The first receiving module 902 is configured to receive a setting response message returned by the AMF; wherein the setting response message is used to notify the UE that the updated file information content has been synchronized to the UDM.

Referring to Figure 10, Figure 10 is a block diagram of an application program interface API calling device according to an exemplary embodiment. The device is applied to the access and mobility management function AMF, including:

The second receiving module 1001 is configured to receive a setting request message sent by the user equipment UE; wherein the setting request message is used to request that the updated file information content in the authorization configuration file of the UE be synchronized to the unified data management UDM, The authorization configuration file is used to authorize other UEs or application functions AF to obtain, modify or set the target resources of the UE;

The first synchronization module 1002 is configured to synchronize the updated file information content to the UDM;

The second sending module 1003 is configured to send a setting response message to the UE; wherein the setting response message is used to notify the UE that the updated file information content has been synchronized to the UDM.

Referring to Figure 11, Figure 11 is a block diagram of an application program interface API calling device according to an exemplary embodiment. The device is applied to unified data management UDM, including:

The acquisition module 1101 is configured to obtain updated file information content provided by the access and mobility management function AMF; wherein the updated file information content comes from the authorization configuration file of the user equipment UE, and the authorization configuration file is used to authorize other The UE or application function AF obtains, modifies or sets the target resource of the UE;

The first determination module 1102 is configured to determine the updated authorization configuration file based on the updated file information content;

The third sending module 1103 is configured to send the updated authorization configuration file to the common API architecture CAPIF function that subscribes to the authorization configuration file.

Referring to Figure 12, Figure 12 is a block diagram of an application program interface API calling device according to an exemplary embodiment. The device is applied to API callers and includes:

The fourth sending module 1201 is configured to send an authorization request message to the common API architecture CAPIF authentication authorization function; wherein the authorization request message is used to request authorization to obtain the target resource;

The third receiving module 1202 is configured to receive the authorization response message returned by the CAPIF authentication authorization function; wherein the authorization response message is used to indicate whether the target resource owner agrees to the authorization request of the API caller;

The fifth sending module 1203 is configured to send a service to the API opening function AEF based on the token provided by the CAPIF authentication authorization function if the authorization response message indicates that the target owner agrees to the authorization request of the API caller. API call request message; wherein the token is used to authorize the API caller to obtain, modify or set the target resource;

The fourth receiving module 1204 is configured to receive the service API call response message returned by the AEF; wherein the service API call response message carries the target resource.

Referring to Figure 13, Figure 13 is a block diagram of an application program interface API calling device according to an exemplary embodiment. The device is applied to the common API architecture CAPIF authentication and authorization function, including:

The fifth receiving module 1301 is configured to receive an authorization request message sent by the API caller; wherein the authorization request message is used to request authorization to obtain the target resource;

The second determination module 1302 is configured to determine whether the target resource owner agrees to the authorization request of the API caller according to the authorization configuration file corresponding to the target resource owner;

The sixth sending module 1303 is configured to send an authorization response message to the API caller; wherein the authorization response message is used to indicate whether the target resource owner agrees to the API caller's authorization request.

Referring to Figure 14, Figure 14 is a block diagram of an application program interface API calling device according to an exemplary embodiment. The device is applied to the API opening function AEF and includes:

The sixth receiving module 1401 is configured to receive the service API call request message sent by the API caller;

The third determination module 1402 is configured to determine the verification result of the token if the service API call request message carries a token; wherein the token is used to authorize the API caller to obtain, Modify or set the target resource of the target resource owner;

The seventh sending module 1403 is configured to send a service to the API caller if the verification result indicates that the token is valid and the information in the service API call request message matches the information in the token. API call response message; wherein the service API call response message carries the target resource.

As for the device embodiment, since it basically corresponds to the method embodiment, please refer to the partial description of the method embodiment for relevant details. The device embodiments described above are only illustrative. The units described above as separate components may or may not be physically separated. The components shown as units may or may not be physical units, that is, they may be located in a place, or can be distributed across multiple network units. Some or all of the modules can be selected according to actual needs to achieve the purpose of the disclosed solution. Persons of ordinary skill in the art can understand and implement the method without any creative effort.

Correspondingly, the present disclosure also provides a computer-readable storage medium that stores a computer program, and the computer program is used to execute any of the above application program interface API calling methods for the UE side.

Correspondingly, the present disclosure also provides a computer-readable storage medium that stores a computer program, and the computer program is used to execute any of the above application program interface API calling methods for the AMF side.

Correspondingly, the present disclosure also provides a computer-readable storage medium that stores a computer program, and the computer program is used to execute any of the above application program interface API calling methods for the UDM side.

Correspondingly, the present disclosure also provides a computer-readable storage medium, the storage medium stores a computer program, the computer program is used to execute any of the above application program interface API calling methods for the API caller side. .

Correspondingly, the present disclosure also provides a computer-readable storage medium that stores a computer program, and the computer program is used to execute any of the above application program interface API calling methods for the CAPIF authorization side.

Correspondingly, the present disclosure also provides a computer-readable storage medium that stores a computer program, and the computer program is used to execute any of the above application program interface API calling methods for the AEF side.

Correspondingly, the present disclosure also provides a communication system. Refer to Figure 15. Figure 15 is a structural block diagram of a communication system according to an exemplary embodiment. The system includes:

User equipment UE1501 is used to execute any one of the application program interface API calling methods on the UE side;

The access and mobility management function AMF1502 is used to execute the application program interface API calling method described in any of the above AMF side;

Unified data management UDM1503, used to execute the application program interface API calling method described in any of the above UDM side;

API caller 1504 is used to execute the application program interface API calling method described in any one of the above API caller side;

CAPIF authentication and authorization function 1505 is used to execute the application program interface API calling method described in any one of the above CAPIF authentication and authorization function sides;

API open function AEF1506 is used to execute the application program interface API calling method described in any of the above AEF side.

Correspondingly, the present disclosure also provides an application program interface API calling device, including:

processor;

Memory used to store instructions executable by the processor;

Wherein, the processor is configured to execute any of the above application program interface API calling methods on the UE side.

Figure 16 is a block diagram of an application program interface API calling device according to an exemplary embodiment. For example, the device 1600 may be a mobile phone, a computer, a digital broadcast terminal, a messaging device, a game console, a tablet device, a medical device, a fitness device, a personal digital assistant, and other UEs.

Referring to Figure 16, the device 1600 may include one or more of the following components: a processing component 1602, a memory 1604, a power supply component 1606, a multimedia component 1608, an audio component 1610, an input/output (I/O) interface 1612, a sensor component 1616, and communications component 1618.

Processing component 1602 generally controls the overall operations of device 1600, such as operations associated with display, phone calls, data communications, camera operations, and recording operations. The processing component 1602 may include one or more processors 1620 to execute instructions to complete all or part of the steps of the above method. Additionally, processing component 1602 may include one or more modules that facilitate interaction between processing component 1602 and other components. For example, processing component 1602 may include a multimedia module to facilitate interaction between multimedia component 1608 and processing component 1602.

One of the processors 1620 in the processing component 1602 may be configured to execute any of the above application program interface API calling methods for the terminal device side.

Memory 1604 is configured to store various types of data to support operations at device 1600 . Examples of such data include instructions for any application or method operating on device 1600, contact data, phonebook data, messages, pictures, videos, etc. Memory 1604 may be implemented by any type of volatile or non-volatile storage device, or a combination thereof, such as static random access memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable read-only memory (EEPROM), Programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, magnetic or optical disk.

Power supply component 1606 provides power to various components of device 1600. Power supply components 1606 may include a power management system, one or more power supplies, and other components associated with generating, managing, and distributing power to device 1600.

Multimedia component 1608 includes a screen that provides an output interface between device 1600 and the user. In some embodiments, the screen may include a liquid crystal display (LCD) and a touch panel (TP). If the screen includes a touch panel, the screen may be implemented as a touch screen to receive input signals from the user. The touch panel includes one or more touch sensors to sense touches, swipes, and gestures on the touch panel. A touch sensor can not only sense the boundaries of a touch or swipe action, but also detect the duration and pressure associated with the touch or swipe action. In some embodiments, multimedia component 1608 includes a front-facing camera and/or a rear-facing camera. When the device 1600 is in an operating mode, such as a shooting mode or a video mode, the front camera and/or the rear camera may receive external multimedia data. Each front-facing camera and rear-facing camera can be a fixed optical lens system or have a focal length and optical zoom capabilities.

Audio component 1610 is configured to output and/or input audio signals. For example, audio component 1610 includes a microphone (MIC) configured to receive external audio signals when device 1600 is in operating modes, such as call mode, recording mode, and speech recognition mode. The received audio signals may be further stored in memory 1604 or sent via communication component 1618 . In some embodiments, audio component 1610 also includes a speaker for outputting audio signals.

The I/O interface 1612 provides an interface between the processing component 1602 and a peripheral interface module. The peripheral interface module may be a keyboard, a click wheel, a button, etc. These buttons may include, but are not limited to: Home button, Volume buttons, Start button, and Lock button.

Sensor component 1616 includes one or more sensors for providing various aspects of status assessment for device 1600 . For example, the sensor component 1616 can detect the open/closed state of the device 1600, the relative positioning of components, such as the display and keypad of the device 1600, the sensor component 1616 can also detect the position change of the device 1600 or a component of the device 1600, the user The presence or absence of contact with device 1600, device 1600 orientation or acceleration/deceleration and temperature changes of device 1600. Sensor component 1616 may include a proximity sensor configured to detect the presence of nearby objects without any physical contact. Sensor assembly 1616 may also include a light sensor, such as a CMOS or CCD image sensor, for use in imaging applications. In some embodiments, the sensor component 1616 may also include an acceleration sensor, a gyroscope sensor, a magnetic sensor, a pressure sensor, or a temperature sensor.

Communications component 1618 is configured to facilitate wired or wireless communications between device 1600 and other devices. The device 1600 can access a wireless network based on a communication standard, such as WiFi, 3G, 4G, 5G, 6G or a combination thereof. In one exemplary embodiment, communication component 1618 receives broadcast signals or broadcast-related information from an external broadcast management system via a broadcast channel. In one exemplary embodiment, communications component 1618 also includes a near field communications (NFC) module to facilitate short-range communications. For example, the NFC module can be implemented based on radio frequency identification (RFID) technology, infrared data association (IrDA) technology, ultra-wideband (UWB) technology, Bluetooth (BT) technology and other technologies.

In an exemplary embodiment, apparatus 1600 may be configured by one or more application specific integrated circuits (ASICs), digital signal processors (DSPs), digital signal processing devices (DSPDs), programmable logic devices (PLDs), field programmable Gate array (FPGA), controller, microcontroller, microprocessor or other electronic components are implemented for executing the above method.

In an exemplary embodiment, a non-transitory computer-readable storage medium including instructions, such as a memory 1504 including instructions, which are executable by the processor 1520 of the device 1500 to complete the above method is also provided. For example, non-transitory computer-readable storage media may be ROM, random access memory (RAM), CD-ROM, magnetic tape, floppy disk, optical data storage device, etc.

processor;

Memory used to store instructions executable by the processor;

Wherein, the processor is configured to execute any one of the application program interface API calling methods on the AMF side.

processor;

Memory used to store instructions executable by the processor;

Wherein, the processor is configured to execute any one of the application program interface API calling methods on the UDM side.

processor;

Memory used to store instructions executable by the processor;

Wherein, the processor is configured to execute any one of the application program interface API calling methods on the API caller side.

processor;

Memory used to store instructions executable by the processor;

Wherein, the processor is configured to execute any one of the above application program interface API calling methods on the CAPIF authentication and authorization function side.

processor;

Memory used to store instructions executable by the processor;

Wherein, the processor is configured to execute any one of the application program interface API calling methods on the AEF side.

As shown in Figure 17, Figure 17 is a schematic structural diagram of an application program interface API calling device 1700 according to an exemplary embodiment. The device 1700 may be provided as any of AMF, UDM, API caller, CAPIF authentication and authorization function, AEF. Referring to Figure 17, apparatus 1700 includes a processing component 1722, a wireless transmit/receive component 1724, an antenna component 1726, and a signal processing portion specific to the wireless interface. The processing component 1722 may further include at least one processor.

One of the processors in the processing component 1722 may be configured to execute any one of the application program interface API calling methods described above.

Other embodiments of the disclosure will be readily apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. The present disclosure is intended to cover any variations, uses, or adaptations of the disclosure that follow the general principles of the disclosure and include common knowledge or customary technical means in the technical field that are not disclosed in the disclosure. . It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the disclosure being indicated by the following claims.

It is to be understood that the present disclosure is not limited to the precise structures described above and illustrated in the accompanying drawings, and various modifications and changes may be made without departing from the scope thereof. The scope of the disclosure is limited only by the appended claims.

Claims

An application program interface API calling method, characterized in that the method is executed by user equipment UE, including:

In response to the UE generating or updating the authorization configuration file, sending a setting request message to the access and mobility management function AMF; wherein the authorization configuration file is used to authorize other UEs or application functions AF to obtain, modify or set the UE The target resource, the setting request message is used to request to synchronize the updated file information content in the authorization configuration file to the unified data management UDM;

Receive a setting response message returned by the AMF; wherein the setting response message is used to notify the UE that the updated file information content has been synchronized to the UDM.
The method according to claim 1, characterized in that sending a setting request message to the access and mobility management function AMF includes:

Send a first non-access layer NAS message based on the N1 interface to the AMF; wherein the first NAS message carries the updated information content.
The method according to claim 1, wherein receiving the setting response message returned by the AMF includes:

Receive a second NAS message based on the N1 interface returned by the AMF; wherein the second NAS message carries the setting response message.
The method according to any one of claims 1-3, characterized in that the authorization configuration file includes at least one of the following information:

The token type that needs to be authorized to the API caller;

The identity of the API caller;

Identification of the expected service API;

The identifier of the service that the API caller can request;

The API caller can request the identification of the service operation;

The API caller can request the identification of the target resource;

The identification of the target resource owner; the geographical scope that the API caller should be in when accessing the target resource;

Authorization expiration time.
An application program interface API calling method, characterized in that the method is executed by the access and mobility management function AMF, including:

Receive a setting request message sent by the user equipment UE; wherein the setting request message is used to request that the updated file information content in the authorization configuration file of the UE be synchronized to the unified data management UDM, and the authorization configuration file is used to authorize other The UE or application function AF obtains, modifies or sets the target resource of the UE;

Synchronize the updated file information content to the UDM;

Send a setting response message to the UE; wherein the setting response message is used to notify the UE that the updated file information content has been synchronized to the UDM.
The method of claim 5, wherein synchronizing the updated information content to the UDM includes:

Call a target service operation to the UDM; wherein the target service operation is used to synchronize the updated file information content to the UDM.
The method according to claim 5 or 6, characterized in that the authorization configuration file includes at least one of the following information:

The token type that needs to be authorized to the API caller;

The identity of the API caller;

Identification of the expected service API;

The identifier of the service that the API caller can request;

The API caller can request the identification of the service operation;

The identifier of the target resource that the API caller can request to obtain;

The identification of the target resource owner;

The geographical scope that the API caller should be in when accessing the target resource;

Authorization expiration time.
An application program interface API calling method, characterized in that the method is executed by unified data management UDM, including:

Obtain updated file information content provided by the access and mobility management function AMF; wherein the updated file information content comes from the authorization configuration file of the user equipment UE, and the authorization configuration file is used to authorize other UEs or application functions AF to obtain, Modify or set the target resources of the UE;

Based on the updated file information content, determine the updated authorization configuration file;

Send the updated authorization profile to the common API architecture CAPIF function that subscribes to the authorization profile.
The method of claim 8, wherein determining the updated authorization configuration file based on the updated file information content includes:

Store or update the authorization configuration file on the unified data warehouse function UDR, and determine the updated authorization configuration file.
The method of claim 8, further comprising:

Receive a subscription request message sent by the CAPIF function; wherein the subscription request message is used to request subscription to the authorization profile corresponding to the UE;

In response to determining to accept the subscription request of the CAPIF function, after obtaining the authorization configuration file corresponding to the UE, the authorization configuration file corresponding to the UE is sent to the CAPIF function.
The method of claim 8, wherein the CAPIF function of the subscription authorization profile includes at least one of the following:

CAPIF authentication and authorization function;

API open function AEF.
The method according to claim 11, characterized in that the CAPIF authentication and authorization function includes CAPIF core function or authorization function.
The method according to any one of claims 8-12, characterized in that the authorization configuration file includes at least one of the following information:

The token type that needs to be authorized to the API caller;

The identity of the API caller;

Identification of the expected service API;

The identifier of the service that the API caller can request;

The API caller can request the identification of the service operation;

The identifier of the target resource that the API caller can request to obtain;

The identification of the target resource owner;

The geographical scope that the API caller should be in when accessing the target resource;

Authorization expiration time.
An application program interface API calling method, characterized in that the method is executed by the API caller, including:

An authorization request message sent to the general API architecture CAPIF authentication and authorization function; wherein the authorization request message is used to request authorization to obtain the target resource;

Receive the authorization response message returned by the CAPIF authentication authorization function; wherein the authorization response message is used to indicate whether the target resource owner agrees to the authorization request of the API caller;

If the authorization response message indicates that the target owner agrees to the authorization request of the API caller, based on the token provided by the CAPIF authentication authorization function, a service API call request message is sent to the API opening function AEF; wherein, the The token is used to authorize the API caller to obtain, modify or set the target resource;

Receive the service API call response message returned by the AEF; wherein the service API call response message carries the target resource.
The method according to claim 14, characterized in that the authorization response message carries the token.
The method according to claim 14, characterized in that the authorization response message carries an authorization code, and the method further includes:

Send a first token request message requesting to obtain the token to the CAPIF authentication and authorization function; wherein the first token request message carries the authorization code;

Receive a token response message carrying the token returned by the CAPIF authentication and authorization function.
The method according to claim 14, characterized in that the authorization request message includes at least one of the following information:

The identity of the API caller;

The identifier of the service API requested by the API caller;

The identifier of the service requested by the API caller;

The identifier of the service operation requested by the API caller;

The identifier of the target resource requested by the API caller;

The ID of the target resource owner.
The method according to any one of claims 14-17, characterized in that the token includes at least one of the following information:

Token type;

The identification of the CAPIF authentication and authorization function;

The identification of the API caller;

Identification of the expected service API;

The identifier of the service requested by the API caller;

The identifier of the service operation requested by the API caller;

The identification of the target resource;

The identification of the target resource owner;

The geographical scope where the API caller accesses the target resource;

The identification of the AEF;

The expiration time of the token.
The method of claim 14, further comprising:

The AEF that sends the service API call request message is determined based on the local configuration information or the API caller identification in the token.
The method according to claim 14, characterized in that, based on the token provided by the CAPIF authentication and authorization function, sending a service API call request message to the API opening function AEF, including:

If the CAPIF authentication and authorization function provides a first token whose token type is a refresh token, send a second token request message carrying the first token to the CAPIF authentication and authorization function; wherein, The second token request message is used to request to obtain a second token whose token type is an access token;

Receive the second token whose token type is an access token returned by the CAPIF authentication and authorization function;

Send the service API call request message to the AEF based on the second token.
The method according to claim 14, characterized in that, based on the token provided by the CAPIF authentication and authorization function, sending a service API call request message to the API opening function AEF, including:

If the CAPIF authentication and authorization function provides a second token whose token type is an access token, send the service API call request message to the AEF based on the second token.
The method of claim 14, further comprising:

Perform mutual identity authentication with the CAPIF authentication and authorization function;

After the mutual identity authentication with the CAPIF authentication and authorization function is passed, a first secure connection is established with the CAPIF authentication and authorization function.
The method according to claim 22, characterized in that the mutual identity authentication with the CAPIF authentication and authorization function includes any of the following:

Perform mutual identity authentication based on the certificate and the CAPIF authentication and authorization function;

Perform mutual identity authentication based on GBA and the CAPIF authentication and authorization function;

Mutual identity authentication is performed based on the AKMA mechanism and the CAPIF authentication and authorization function.
The method according to claim 14, characterized in that sending an authorization request message requesting authorization to the common API architecture CAPIF authentication and authorization function includes:

After establishing a first secure connection with the CAPIF authentication and authorization function, the authorization request message is sent to the CAPIF authentication and authorization function through the first secure connection.
The method of claim 14, further comprising:

Perform mutual identity authentication with the AEF;

After the mutual identity authentication with the AEF is passed, a second secure connection is established with the AEF.
The method according to claim 25, wherein the mutual authentication with the AEF includes any of the following:

Perform mutual identity authentication with the AEF based on the certificate;

Perform mutual identity authentication with the AEF based on GBA;

Mutual identity authentication is performed with the AEF based on the AKMA mechanism.
The method according to claim 14, characterized in that sending a service API call request message to the API opening function AEF includes:

After establishing a second secure connection with the AEF, the authorization request message is sent to the AEF through the second secure connection.
The method according to claim 14, wherein the CAPIF authentication and authorization function includes a CAPIF core function or an authorization function.
An application program interface API calling method, characterized in that the method is executed by the common API architecture CAPIF authorization function, including:

Receive the authorization request message sent by the API caller; wherein the authorization request message is used to request authorization to obtain the target resource;

Determine whether the target resource owner agrees to the authorization request of the API caller according to the authorization configuration file corresponding to the target resource owner;

Send an authorization response message to the API caller; wherein the authorization response message is used to indicate whether the target resource owner agrees to the API caller's authorization request.
The method according to claim 29, characterized in that the authorization request message includes at least one of the following information:

The identity of the API caller;

The identifier of the service API requested by the API caller;

The identifier of the service requested by the API caller;

The identifier of the service operation requested by the API caller;

The identifier of the target resource requested by the API caller;

The ID of the target resource owner.
The method according to claim 29, characterized in that the authorization configuration file includes at least one of the following information:

The token type that needs to be authorized to the API caller;

The identity of the API caller;

Identification of the expected service API;

The identifier of the service that the API caller can request;

The API caller can request the identification of the service operation;

The identifier of the target resource that the API caller can request to obtain;

The identification of the target resource owner;

The geographical scope that the API caller should be in when accessing the target resource;

Authorization expiration time.
The method of claim 29, wherein if the authorization response message indicates that the target resource owner agrees to the API caller's authorization request, the authorization response message carries a token; wherein, The token is used to authorize the API caller to obtain, modify or set the target resource.
The method according to claim 29, characterized in that, if the authorization response message indicates that the target resource owner agrees to the authorization request of the API caller, the authorization response message carries an authorization code;

The method also includes:

Receive a first token request message sent by the API caller to obtain a token; wherein the token is used to authorize the API caller to obtain, modify or set the target resource, and the first token request The message carries the authorization code;

Send a token response message carrying the token to the API caller.
The method according to claim 32 or 33, characterized in that the token includes at least one of the following information:

Token type;

The identification of the CAPIF authentication and authorization function;

The identification of the API caller;

Identification of the expected service API;

The identifier of the service requested by the API caller;

The identifier of the service operation requested by the API caller;

The identification of the target resource;

The identification of the target resource owner;

The geographical scope where the API caller accesses the target resource;

AEF’s logo;

The expiration time of the token.
The method of claim 29, further comprising:

If it is determined according to the authorization configuration file that the target resource owner agrees to the API caller's authorization request, and the CAPIF authentication authorization function provides the API caller with the first token whose token type is a refresh token. , receiving the second token request message sent when the API caller needs to obtain the target resource; wherein the second token request message is used to request to obtain a second token whose token type is an access token, The second token request message carries the first token;

Based on the second token request message, after verifying that the first token is legal, the second token whose token type is an access token is sent to the API caller.
The method of claim 29, further comprising:

If it is determined that the target resource owner agrees to the authorization request of the API caller according to the authorization profile, a token subject to the authorization profile is generated for the API caller.
The method of claim 29, further comprising:

Perform mutual identity authentication with the API caller;

After the mutual identity authentication with the API caller is passed, a first secure connection is established with the API caller.
The method according to claim 37, characterized in that the mutual identity authentication with the API caller includes:

Perform mutual identity authentication with the API caller based on the certificate;

Perform mutual identity authentication with the API caller based on GBA;

Mutual identity authentication is performed with the API caller based on the AKMA mechanism.
The method of claim 29, wherein receiving an authorization request message sent by an API caller requesting authorization includes:

After the first secure connection is established with the API caller, the authorization request message sent by the API caller is received through the first secure connection.
The method of claim 29, further comprising:

In the case of subscribing to the authorization configuration file, the authorization configuration file or the updated authorization configuration file is obtained from the unified data management UDM.
The method according to claim 34, characterized in that the CAPIF authentication and authorization function includes CPPIF core function or authorization function.
An application program interface API calling method, characterized in that the method is executed by the API opening function AEF, including:

Receive the service API call request message sent by the API caller;

If the service API call request message carries a token, determine the verification result of the token; wherein the token is used to authorize the API caller to obtain, modify or set the target resource owner's target resource;

If the verification result indicates that the token is valid and the information in the service API call request message matches the information in the token, send a service API call response message to the API caller; wherein, The service API call response message carries the target resource.
The method of claim 42, wherein determining the verification result token for verifying the token includes:

The token is verified by the public key of the AEF based on the common API architecture CAPIF authentication and authorization function, and the verification result is determined.
The method of claim 42, wherein determining the verification result of the token includes:

Determining the verification result of verifying the token includes:

Send the token to the CAPIF authentication and authorization function;

Receive the verification result returned by the CAPIF authentication and authorization function for verifying the token.
The method according to claim 43 or 44, characterized in that the CAPIF authentication and authorization function includes CAPIF core function or authorization function.
The method according to claim 42, characterized in that the method further includes:

If the verification result indicates that the token is invalid, the API calling process is terminated.
The method according to claim 42, characterized in that the method further includes:

If the service API call request message does not carry the token, a service API call rejection message is sent to the API caller.
The method of claim 42, wherein the service API call request message includes at least one of the following:

The identification of the API caller;

The identification of the target resource owner;

The identification of the target resource;

The identifier of the service API requested by the API caller;

The identifier of the service requested by the API caller;

The identifier of the service operation requested by the API caller;

the token.
The method according to claim 42, characterized in that the token includes at least one of the following information:

The identification of the common API framework CAPIF authentication and authorization function;

The identification of the API caller;

Identification of the expected service API;

The identification of the target resource;

The identification of the target resource owner;

The identification of the AEF;

The expiration time of the token.
The method according to claim 42, characterized in that the method further includes:

Determine that the service API call request message carries a second token whose token type is an access token;

Determining the verification result of verifying the token includes:

A verification result of the verification of the second token is determined.
The method according to claim 42, characterized in that the method further includes:

Determine that the first identity information of the API caller has been authenticated;

Confirm that the certificate of the API caller has been verified;

If the authenticated first identity information is the same as the identity of the API caller in the certificate, but the information in the service API call request message does not match the information in the token, call the API The party sends a service API call rejection message; or

If the identity of the API caller in the certificate can be mapped to the authenticated first identity information, but the information in the service API call request message does not match the information in the target token, report to the The API caller sends a service API call rejection message.
The method of claim 42, further comprising:

Determine that the first identity information of the API caller has been authenticated;

If the verification result indicates that the token is valid and the information in the service API call request message matches the information in the token, sending a service API call response message to the API caller, including:

If the authenticated first identity information is the same as the identity of the API caller in the token, the verification result indicates that the token is valid, and the information in the service API call request message is consistent with the token. The step of matching the information in the card and sending a service API call response message to the API caller; or

If the identity of the API caller in the token can be mapped to the authenticated first identity information, the verification result indicates that the token is valid, and the information in the service API call request message is consistent with the token. If the information in the card matches, a service API call response message is sent to the API caller.
The method according to claim 42, characterized in that the method further includes:

Perform mutual identity authentication with the API caller;

After the mutual identity authentication with the API caller is passed, a second secure connection is established with the API caller.
The method according to claim 53, characterized in that the mutual identity authentication with the API caller includes any of the following:

Perform mutual identity authentication with the API caller based on the certificate;

Perform mutual identity authentication with the API caller based on GBA;

Mutual identity authentication is performed with the API caller based on the AKMA mechanism.
The method according to claim 42, characterized in that receiving the service API call request message sent by the API caller includes:

After establishing a second secure connection with the API caller, receiving the service API call request message sent by the API caller through the second secure connection.
An application program interface API calling device, characterized in that the device is applied to user equipment UE and includes:

The first sending module is configured to send a setting request message to the access and mobility management function AMF in response to the UE generating or updating the authorization configuration file; wherein the authorization configuration file is used to authorize other UEs or application functions AF Obtain, modify or set the target resource of the UE, and the setting request message is used to request to synchronize the updated file information content in the authorization configuration file to the unified data management UDM;

The first receiving module is configured to receive a setting response message returned by the AMF; wherein the setting response message is used to notify the UE that the updated file information content has been synchronized to the UDM.
An application program interface API calling device, characterized in that the device is applied to the access and mobility management function AMF, including:

The second receiving module is configured to receive a setting request message sent by the user equipment UE; wherein the setting request message is used to request to synchronize the updated file information content in the authorization configuration file of the UE to the unified data management UDM, so The authorization configuration file is used to authorize other UEs or application functions AF to obtain, modify or set the target resources of the UE;

A first synchronization module configured to synchronize the updated file information content to the UDM;

The second sending module is configured to send a setting response message to the UE; wherein the setting response message is used to notify the UE that the updated file information content has been synchronized to the UDM.
An application program interface API calling device, characterized in that the device is applied to unified data management UDM, including:

The acquisition module is configured to obtain updated file information content provided by the access and mobility management function AMF; wherein the updated file information content comes from the authorization configuration file of the user equipment UE, and the authorization configuration file is used to authorize other UEs Or apply function AF to obtain, modify or set the target resources of the UE;

The first determination module is configured to determine the updated authorization configuration file based on the updated file information content;

The third sending module is configured to send the updated authorization configuration file to the common API architecture CAPIF function that subscribes to the authorization configuration file.
An application program interface API calling device, characterized in that the device is applied to API callers and includes:

The fourth sending module is configured to send an authorization request message to the common API architecture CAPIF authentication and authorization function; wherein the authorization request message is used to request authorization to obtain the target resource;

The third receiving module is configured to receive the authorization response message returned by the CAPIF authentication authorization function; wherein the authorization response message is used to indicate whether the target resource owner agrees to the authorization request of the API caller;

The fifth sending module is configured to send the service API to the API opening function AEF based on the token provided by the CAPIF authentication authorization function if the authorization response message indicates that the target owner agrees to the authorization request of the API caller. Call request message; wherein the token is used to authorize the API caller to obtain, modify or set the target resource;

The fourth receiving module is configured to receive the service API call response message returned by the AEF; wherein the service API call response message carries the target resource.
An application program interface API calling device, characterized in that the device is applied to the universal API architecture CAPIF authentication and authorization function, including:

The fifth receiving module is configured to receive an authorization request message sent by the API caller; wherein the authorization request message is used to request authorization to obtain the target resource;

The second determination module is configured to determine whether the target resource owner agrees to the authorization request of the API caller according to the authorization configuration file corresponding to the target resource owner;

The sixth sending module is configured to send an authorization response message to the API caller; wherein the authorization response message is used to indicate whether the target resource owner agrees to the API caller's authorization request.
An application program interface API calling device, characterized in that the device is applied to API opening function AEF, including:

The sixth receiving module is configured to receive the service API call request message sent by the API caller;

The third determination module is configured to determine the verification result of the token if the service API call request message carries a token; wherein the token is used to authorize the API caller to obtain and modify Or set the target resource of the target resource owner;

A seventh sending module configured to send a service API to the API caller if the verification result indicates that the token is valid and the information in the service API call request message matches the information in the token. Call response message; wherein the service API call response message carries the target resource.
A communication system, characterized by including:

User equipment UE, used to execute the application program interface API calling method described in any one of the above claims 1-4;

The access and mobility management function AMF is used to execute the application program interface API calling method described in any one of the above claims 5-7;

Unified data management UDM, used to execute the application program interface API calling method described in any one of the above claims 8-13;

API caller, used to execute the application program interface API calling method described in any one of the above claims 14-28;

CAPIF authentication and authorization function, used to execute the application program interface API calling method described in any one of the above claims 29-41;

The API opening function AEF is used to execute the application program interface API calling method described in any one of the above claims 42-55.
An application program interface API calling device, characterized by including:

processor;

Memory used to store instructions executable by the processor;

Wherein, the processor is configured to execute the application program interface API calling method described in any one of claims 1-4.
An application program interface API calling device, characterized by including:

processor;

Memory used to store instructions executable by the processor;

Wherein, the processor is configured to execute the application program interface API calling method described in any one of claims 5-7.
An application program interface API calling device, characterized by including:

processor;

Memory used to store instructions executable by the processor;

Wherein, the processor is configured to execute the application program interface API calling method described in any one of claims 8-13.
An application program interface API calling device, characterized by including:

processor;

Memory used to store instructions executable by the processor;

Wherein, the processor is configured to execute the application program interface API calling method described in any one of claims 14-28.
An application program interface API calling device, characterized by including:

processor;

Memory used to store instructions executable by the processor;

Wherein, the processor is configured to execute the application program interface API calling method described in any one of claims 29-41.
An application program interface API calling device, characterized by including:

processor;

Memory used to store instructions executable by the processor;

Wherein, the processor is configured to execute the application program interface API calling method described in any one of claims 42-55.