T-CAICI 91-2024 5G消息業(yè)務(wù)增強(qiáng)能力規(guī)范 統(tǒng)一認(rèn)證能力要求

T/CAICIT/CAICI91—2024統(tǒng)一認(rèn)證能力要求UnifiedAuthenticatio2024-08-26發(fā)布2024-09-15實(shí)施中國(guó)通信企業(yè)協(xié)會(huì)發(fā)布I III 2 2 2 3 3 3 3 3 5 5 5 5 6 6 6 II III12BIR3<characteristictype="MESSAGING"><characteristictype="Singlesign-on"><parmname="SSOURI"value="/ssoserver"/></characteristic></characteristic>41)通過(guò)GBA開(kāi)放平臺(tái)跳轉(zhuǎn)到MM—MM—M應(yīng)用的頁(yè)面，由第三方應(yīng)用提供，主域名應(yīng)在其開(kāi)通M—M—M—5應(yīng)用系統(tǒng)向用戶發(fā)送的Chatbot消息，并轉(zhuǎn)發(fā)給終端；負(fù)責(zé)為第三方應(yīng)用系統(tǒng)開(kāi)通統(tǒng)一認(rèn)證能力接口①：第三方應(yīng)用系統(tǒng)與統(tǒng)一認(rèn)證能力開(kāi)通邏輯模塊間的接口，完成統(tǒng)一認(rèn)證能力開(kāi)通相關(guān)的6接口⑥：GBA認(rèn)證能力開(kāi)放平臺(tái)與第三方應(yīng)用系統(tǒng)間的第三方應(yīng)用到GBA認(rèn)證能力開(kāi)放平臺(tái)申請(qǐng)開(kāi)通統(tǒng)一認(rèn)證能力，流程如圖2所示。1．第三方應(yīng)用系統(tǒng)申請(qǐng)開(kāi)通統(tǒng)一認(rèn)證能力，攜帶第三方應(yīng)用的企業(yè)名稱、管理者身份、Chatbot交互，獲得登錄后的第三方應(yīng)用網(wǎng)頁(yè)。用戶獲取授權(quán)頁(yè)面流程如圖3所示，用戶確認(rèn)授權(quán)流程如圖478—機(jī)制1：直接訪問(wèn)GBA認(rèn)證能力開(kāi)放平臺(tái)。5’～7’：外鏈直接指向GBA認(rèn)證能力開(kāi)放平臺(tái)，數(shù)。GBA認(rèn)證能力開(kāi)放平臺(tái)對(duì)appid和回調(diào)URL進(jìn)行校驗(yàn)，如果校驗(yàn)通過(guò)，則返回授權(quán)確認(rèn)頁(yè)面，攜帶預(yù)授權(quán)code;如果校驗(yàn)不通過(guò)，則返回校驗(yàn)不通過(guò)的結(jié)果及不通過(guò)的原因提示頁(yè)面。9放平臺(tái)獲得用戶取消授權(quán)的結(jié)果后，記錄該事名跟回調(diào)url的域名是否一致。執(zhí)行GBA認(rèn)證的后續(xù)流程，獲得用戶的IMPU和IMPI，并保存緩存信息；GBA認(rèn)證能力開(kāi)放平8.1第三方應(yīng)用系統(tǒng)與統(tǒng)一認(rèn)證能力開(kāi)通模塊間的接口（接口1）請(qǐng)求地址：/gbaop/v1/auth/codeMM無(wú)無(wú)M無(wú)GET/gbaop/v1/auth/codeHTTP/1.1User-Agent:NAF1ApplicationAgentRelease-63gpp-gbaDate:Thu,08Jan201910:50:35GMTX-3GPP-Intended-Identity:sip:+8613911111111@Connection:Keep-AliveContent-Length:0HTTP/1.1401UnauthorizedServer:Apache/1.3.22(Unix)mod_perl/1.27Date:Thu,24July201910:50:35GMTWWW-Authenticate:Digestrealm="3GPP-bootstrapping@ftcontentserver.rcs.mnc00.",nonce="6629fae49393a05397450978507c4ef1",algorithm=AKA_v1_SHA256,qop="auth,auth-int",opaque="5ccc069c403ebaf9f0171e9517f30e41"MMMMMMCOMGET/gbaop/v1/auth/code?pre_auth_code=kdflsflsdkfHTTP/1.1User-Agent:NAF1ApplicationAgentRelease-63gpp-gbaDate:Thu,08Jan201910:50:35GMTX-3GPP-Intended-Identity:+8613844445678Authorization:Digestusername="(B-TID)",realm="3GPP-bootstrapping@",nonce="a6332ffd2d234==",uri="/",qop=auth-int,nc=00000001,cnonce="6629fae49393a05397450978507c4ef1",response="6629fae49393a05397450978507c4ef1",opaque="5ccc069c403ebaf9f0171e9517f30e41",algorithm=SHA-256Connection:Keep-AliveContent-Length:0HTTP/1.1200OKAccess-Control-Allow-Origin:*Content-Type:application/json;charset=UTF-8Transfer-Encoding:chunkedDate:Mon,09Nov202002:03:33GMTKeep-Alive:timeout=60Connection:keep-alive{"code":"0","data":{"redirect_uri":"/cb?auth_code=SplxlOBeZQQYbYS6WxSbIA&state=xyz"},"message":"OK"}消授權(quán)2個(gè)場(chǎng)景。MXXXXM無(wú)M無(wú)POST/gbaop/v1/auth/cancel?pre_auth_code=kdflsflsdkfHTTP/1.1User-Agent:NAF1ApplicationAgentRelease-63gpp-gbaDate:Thu,08Jan201910:50:35GMTConnection:Keep-AliveContent-Length:0HTTP/1.1302FoundLocation:/cb?state=xyzMMMMOMMMCOMGET/gbaop/v1/auth/code?appid=XX&domain=XX&scope=XXHTTP/1.1User-Agent:NAF1ApplicationAgentRelease-63gpp-gbaDate:Thu,08Jan201910:50:35GMTX-3GPP-Intended-Identity:+8613844445678Authorization:Digestusername="(B-TID)",realm="3GPP-bootstrapping@",nonce="a6332ffd2d234==",uri="/",qop=auth-int,nc=00000001,cnonce="6629fae49393a05397450978507c4ef1",response="6629fae49393a05397450978507c4ef1",opaque="5ccc069c403ebaf9f0171e9517f30e41",algorithm=SHA-256Connection:Keep-AliveContent-Length:0HTTP/1.1200OKAccess-Control-Allow-Origin:*Content-Type:application/json;charset=UTF-8Transfer-Encoding:chunkedDate:Mon,09Nov202002:03:33GMTKeep-Alive:timeout=60Connection:keep-alive{"code":"0","data":{"auth_code":"XXXX"},"message":"OK"}8.7第三方應(yīng)用系統(tǒng)與GBA認(rèn)證能力開(kāi)放平臺(tái)間的接口（接口6）MXXXXMMMO運(yùn)營(yíng)商可根據(jù)實(shí)際情況擴(kuò)展其他值，用于開(kāi)放OO無(wú)MMMCOM0/gbaop/v1/authorizepage?response_type=code&appid=s6BhdRkqt3&state=xyz&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2FcbHTTP/1.1User-Agent:NAF1ApplicationAgentRelease-63gpp-gbaDate:Thu,08Jan201910:50:35GMTX-3GPP-Intended-Identity:sip:+8613911111111@Connection:Keep-AliveContent-Length:0HTTP/1.1200OKAccess-Control-Allow-Origin:*Content-Type:application/json;charset=UTF-8Transfer-Encoding:chunkedDate:Mon,09Nov202002:03:33GMTKeep-Alive:timeout=60Connection:keep-alive{"code":"0","data":{"auth_url":"/gbaopv/index.html?pre_auth_code=S},"message":"OK"}M無(wú)MMMM無(wú)MMCOMMMOOPOST/gbaop/v1/auth/tokenHTTP/1.1User-Agent:NAF1ApplicationAgentRelease-63gpp-gbaDate:Thu,08Jan201910:50:35GMTContent-Type:application/jsonConnection:Keep-AliveContent-Length:45{"grant_type":"authorization_code","auth_code":"dfdfsdf","redirect_uri":"https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb","appid":"fhfghgfhgfh","appsecret":"dfdfsdf"}HTTP/1.1200OKAccess-Control-Allow-Origin:*Content-Type:application/json;charset=UTF-8Transfer-Encoding:chunkedDate:Mon,09Nov202002:03:33GMTKeep-Alive:timeout=60Connection:keep-alive{"code":"0","data":{"access_token":"d2bbd4f22a0f9050e2fb17f2bdaa0bef","token_type":"bearer","expires_in":3600,"refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA","scope":"telnum"},"message":"OK"}期，更新為新的，如果沒(méi)過(guò)期，僅僅更新有效期，采用HTTPS請(qǐng)求和M無(wú)M無(wú)MMCOMMM過(guò)期時(shí)間，單位為秒。如果省略該參數(shù)，應(yīng)以其OOPOST/gbaop/v1/auth/refreshtokenHTTP/1.1User-Agent:NAF1ApplicationAgentRelease-63gpp-gbaDate:Thu,08Jan201910:50:35GMTContent-Type:application/jsonConnection:Keep-AliveContent-Length:45{"refresh_token":"d2bbd4f22a0f9050e2fb17f2bdaa0bef"}HTTP/1.1200OKAccess-Control-Allow-Origin:*Content-Type:application/json;charset=UTF-8Transfer-Encoding:chunkedDate:Mon,09Nov202002:03:33GMTKeep-Alive:timeout=60Connection:keep-alive{"code":"0","data":{"access_token":"d2bbd4f22a0f9050e2fb17f2bdaa0bef","token_type":"bearer","expires_in":3600,"refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA","scope":"telnum"},"message":"OK"}第三方應(yīng)用系統(tǒng)通過(guò)本接口向GBA認(rèn)證能力開(kāi)放平臺(tái)查詢用戶的身份信息（手機(jī)號(hào)碼采用MM無(wú)無(wú)MMCOMGET/gbaop/v1/auth/phonenum?access_token=ACCESS_TOKENHTTP/1.1User-Agent:NAF1ApplicationAgentRelease-63gpp-gbaDate:Thu,08Jan201910:50:35GMTX-3GPP-Intended-Identity:sip:+8613911111111@Connection:Keep-AliveContent-Length:0HTTP/1.1200OKSet-Cookie:reme