Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

API Design : UNAUTHENTICATED 401 #128

Closed
190183 opened this issue Jan 31, 2024 · 5 comments · Fixed by #213
Closed

API Design : UNAUTHENTICATED 401 #128

190183 opened this issue Jan 31, 2024 · 5 comments · Fixed by #213

Comments

@190183
Copy link

190183 commented Jan 31, 2024

ISSUE
I am using IBM API Connect as a gateway where I don't have the control over internal authorization server. Due to this if any request fails due to the authorization issue, then it throws an error in the below format:
{
"httpCode": "401",
"httpMessage": "Unauthorized",
"moreInformation": "Invalid client id or secret."
}

Whereas expected CAMARA format is:
{
"status": 401,
"code": "UNAUTHENTICATED",
"message": "Request not authenticated due to missing, invalid, or expired credentials."
}

In this case the request gets rejected at the server level itself and it doesn't reach till my code to handle it. Due this I am unable to change the response format.

Currently, I am working with GSMA to close the certification for Sim Swap service but due to this particular use case it is not done.
My suggestion is to ignore this use case for certification as I am sure other MNO's will also face this limitation.
@MarkCornall
Copy link
Collaborator

To follow the Open Gateway and CAMARA aim where a developer should not need to change their code to connect to any CAMARA API the format should be followed. To not follow this will cause developers and operators in federation to complicate their implementations and introduce errors and failures. My view would be for you to you raise internally to have the correct/custom response to your authorisation calls within your implementation. Happy to aid in that process if needed.

@190183
Copy link
Author

190183 commented Feb 1, 2024

Hi Mark,

I am checking internally if there is any way to modify it.
Meanwhile, as per W3 standard, which is universally followed, HTTP Code “401”, “Unauthorized” is acceptable.
https://www.w3schools.com/tags/ref_httpmessages.asp

So, my suggestion is to align the GSMA design guidelines with universally accepted format, why are we changing it.

Regards
Prashant Sidana

@gmuratk gmuratk mentioned this issue Feb 1, 2024
Closed
@rartych rartych mentioned this issue Feb 13, 2024
Closed
@AxelNennker
Copy link
Contributor

Not sure I understand this completely.

Camara uses the OIDC standard which defines several error codes

3.1.2.6. Authentication Error Response
https://www.rfc-editor.org/rfc/rfc6749.html#page-45

3.1.3.4. Token Error Response

5.3.3. UserInfo Error Response

CIBA Token Error Response

CIBA Authentication Error Response

Also, there is the OAuth2 error registry
https://www.rfc-editor.org/rfc/rfc6749.html#section-11.4

The following is definitely non-standard:

{
"httpCode": "401",
"httpMessage": "Unauthorized",
"moreInformation": "Invalid client id or secret."
}

Whenever OIDC and OAuth2 are used in Camara the error responses MUST follow the respective OIDF and IETF standard.

@rartych rartych mentioned this issue Apr 8, 2024
Closed
@rartych rartych mentioned this issue Apr 15, 2024
Closed
@rartych
Copy link
Collaborator

rartych commented May 27, 2024

To be indicated in PR #213

@rartych rartych mentioned this issue May 27, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

error_model_alignment camaraproject/Commonalities
5 participants
@AxelNennker @190183 @MarkCornall @rartych and others