-
Notifications
You must be signed in to change notification settings - Fork 13
/
one-time-password-sms.yaml
447 lines (440 loc) · 17.3 KB
/
one-time-password-sms.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
openapi: 3.0.3
info:
title: One Time Password SMS
description: |-
Service Enabling Network Function API to send short-lived OTPs (one time passwords) to a phone number via SMS and validate it afterwards, in order to verify the phone number as a proof of possession.
# Relevant Definitions and concepts
- **NaaS**: *Network-as-a-Service* model where Telco Network resources are exposed to third parties through APIs. In this particular API, One Time Password is exposed following this model.
- **OTP**: *One Time password* is a one-time authorization code (OTAC) that is valid for only one login session or transaction.
# API Functionality
It enables a Service Provider (SP) to send an OTP code by SMS and validate it to verify the phone number (MSISDN) as a proof of possession.
# Resources and Operations overview
This API currently provides two endpoints, one to send an OTP to a given phone number and another to validate the code received as input.
# Authorization and authentication
The "Camara Security and Interoperability Profile" provides details on how a client requests an access token. Please refer to Identify and Consent Management (https://github.com/camaraproject/IdentityAndConsentManagement/) for the released version of the Profile.
Which specific authorization flows are to be used will be determined during onboarding process, happening between the API Client and the Telco Operator exposing the API, taking into account the declared purpose for accessing the API, while also being subject to the prevailing legal framework dictated by local legislation.
It is important to remark that in cases where personal user data is processed by the API, and users can exercise their rights through mechanisms such as opt-in and/or opt-out, the use of 3-legged access tokens becomes mandatory. This measure ensures that the API remains in strict compliance with user privacy preferences and regulatory obligations, upholding the principles of transparency and user-centric data control.
version: 1.0.0
x-camara-commonalities: 0.4.0
license:
name: Apache 2.0
url: https://www.apache.org/licenses/LICENSE-2.0.html
servers:
- url: "{apiRoot}/one-time-password-sms/v1"
variables:
apiRoot:
default: http://localhost:9091
description: API root, defined by the service provider, e.g. `api.example.com` or `api.example.com/somepath`
tags:
- name: OTP Management
description: API operations to manage OTP codes
paths:
/send-code:
post:
tags:
- OTP Management
summary: Sends a message including an OTP code to the given phone number
description: |-
Sends an SMS with the desired message and an OTP code to the received phone number.
operationId: sendCode
parameters:
- in: header
name: x-correlator
required: false
description: Correlation id for the different services
schema:
type: string
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/SendCodeBody'
required: true
responses:
'200':
description: OK
headers:
x-correlator:
description: Correlation id for the different services
schema:
type: string
content:
application/json:
schema:
$ref: '#/components/schemas/SendCodeResponse'
'400':
$ref: '#/components/responses/Generic400'
'401':
$ref: '#/components/responses/Generic401'
'403':
$ref: '#/components/responses/SendCodeForbiddenError403'
'404':
$ref: '#/components/responses/Generic404'
'406':
$ref: '#/components/responses/Generic406'
'415':
$ref: '#/components/responses/Generic415'
'429':
$ref: '#/components/responses/Generic429'
'500':
$ref: '#/components/responses/Generic500'
'503':
$ref: '#/components/responses/Generic503'
'504':
$ref: '#/components/responses/Generic504'
security:
- openId:
- one-time-password-sms:send-validate
/validate-code:
post:
tags:
- OTP Management
summary: Verifies the OTP received as input
description: |-
Verifies the code is valid for the received authenticationId
operationId: validateCode
parameters:
- in: header
name: x-correlator
required: false
description: Correlation id for the different services
schema:
type: string
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/ValidateCodeBody'
required: true
responses:
'204':
description: The OTP was successfully validated
headers:
x-correlator:
description: Correlation id for the different services
schema:
type: string
'400':
$ref: '#/components/responses/ValidateCodeBadRequestError400'
'401':
$ref: '#/components/responses/Generic401'
'403':
$ref: '#/components/responses/Generic403'
'404':
$ref: '#/components/responses/Generic404'
'406':
$ref: '#/components/responses/Generic406'
'415':
$ref: '#/components/responses/Generic415'
'429':
$ref: '#/components/responses/Generic429'
'500':
$ref: '#/components/responses/Generic500'
'503':
$ref: '#/components/responses/Generic503'
'504':
$ref: '#/components/responses/Generic504'
security:
- openId:
- one-time-password-sms:send-validate
components:
schemas:
SendCodeBody:
description: Structure to request sending a code to a phone number
type: object
properties:
phoneNumber:
$ref: '#/components/schemas/PhoneNumber'
message:
$ref: '#/components/schemas/Message'
required:
- phoneNumber
- message
SendCodeResponse:
description: Structure to provide authentication identifier
type: object
properties:
authenticationId:
$ref: '#/components/schemas/AuthenticationId'
required:
- authenticationId
ValidateCodeBody:
description: Strcuture to request code verification
type: object
properties:
authenticationId:
$ref: '#/components/schemas/AuthenticationId'
code:
$ref: '#/components/schemas/Code'
required:
- authenticationId
- code
PhoneNumber:
description: A public identifier addressing a telephone subscription. In mobile networks it corresponds to the MSISDN (Mobile Station International Subscriber Directory Number). In order to be globally unique it has to be formatted in international format, according to E.164 standard, prefixed with '+'.
type: string
pattern: '^\+[1-9][0-9]{4,14}$'
example: '+346661113334'
Message:
type: string
description: Message template used to compose the content of the SMS sent to the phone number. It must include the following label indicating where to include the short code `{{code}}`
pattern: .*\{\{code\}\}.*
maxLength: 160
example: '{{code}} is your short code to authenticate with Cool App via SMS'
AuthenticationId:
type: string
description: unique id of the verification attempt the code belongs to.
maxLength: 36
example: ea0840f3-3663-4149-bd10-c7c6b8912105
Code:
type: string
description: temporal, short code to be validated
maxLength: 10
example: AJY3
ErrorInfo:
description: Structure to describe error
type: object
required:
- status
- code
- message
properties:
status:
type: integer
description: HTTP response status code
code:
type: string
description: Code given to this error
message:
type: string
description: Detailed error description
securitySchemes:
openId:
type: openIdConnect
openIdConnectUrl: https://example.com/.well-known/openid-configuration
responses:
Generic400:
description: Problem with the client request
headers:
x-correlator:
description: Correlation id for the different services
schema:
type: string
content:
application/json:
schema:
$ref: '#/components/schemas/ErrorInfo'
example:
status: 400
code: INVALID_ARGUMENT
message: Client specified an invalid argument, request body or query param
ValidateCodeBadRequestError400:
description: |-
Problem with the client request. In addition to regular scenario of `INVALID_ARGUMENT`, another scenarios may exist:
- Too many unsuccessful attempts (`{"code": "ONE_TIME_PASSWORD_SMS.VERIFICATION_FAILED","message": "The maximum number of attempts for this authenticationId was exceeded without providing a valid OTP"}`)
- Expired authenticationId (`{"code": "ONE_TIME_PASSWORD_SMS.VERIFICATION_EXPIRED","message": "The authenticationId is no longer valid"}`)
- OTP is not valid for the provided authenticationId (`{"code": "ONE_TIME_PASSWORD_SMS.INVALID_OTP","message": "The provided OTP is not valid for this authenticationId"}`)
headers:
x-correlator:
description: Correlation id for the different services
schema:
type: string
content:
application/json:
schema:
$ref: '#/components/schemas/ErrorInfo'
examples:
InvalidArgument:
value:
status: 400
code: INVALID_ARGUMENT
message: Client specified an invalid argument, request body or query param
VerificationFailed:
value:
status: 400
code: ONE_TIME_PASSWORD_SMS.VERIFICATION_FAILED
message: The maximum number of attempts for this authenticationId was exceeded without providing a valid OTP
VerificationExpired:
value:
status: 400
code: ONE_TIME_PASSWORD_SMS.VERIFICATION_EXPIRED
message: The authenticationId is no longer valid
InvalidOtp:
value:
status: 400
code: ONE_TIME_PASSWORD_SMS.INVALID_OTP
message: The provided OTP is not valid for this authenticationId
Generic401:
description: Authentication problem with the client request
headers:
x-correlator:
description: Correlation id for the different services
schema:
type: string
content:
application/json:
schema:
$ref: '#/components/schemas/ErrorInfo'
example:
status: 401
code: UNAUTHENTICATED
message: Request not authenticated due to missing, invalid, or expired credentials
Generic403:
description: Client does not have sufficient permission
headers:
x-correlator:
description: Correlation id for the different services
schema:
type: string
content:
application/json:
schema:
$ref: '#/components/schemas/ErrorInfo'
example:
status: 403
code: PERMISSION_DENIED
message: Client does not have sufficient permissions to perform this action
SendCodeForbiddenError403:
description: |-
Client does not have sufficient permissions to perform this action.
In addition to regular scenario of `PERMISSION_DENIED`, another scenarios may exist:
- Too many code requests were sent (`{"code": "ONE_TIME_PASSWORD_SMS.MAX_OTP_CODES_EXCEEDED","message": "Too many OTPs have been requested for this MSISDN. Try later."}`)
- The given phoneNumber can't receive an SMS due to business reasons in the operator, e.g. fraud, receiving SMS is not supported, etc (`{"code": "ONE_TIME_PASSWORD_SMS.PHONE_NUMBER_NOT_ALLOWED","message": "Phone_number can't receive an SMS due to business reasons in the operator."}`)
- The given phoneNumber is blocked to receive SMS due to any blocking business reason in the operator (`{"code": "ONE_TIME_PASSWORD_SMS.PHONE_NUMBER_BLOCKED","message": "Phone_number is blocked to receive SMS due to any blocking business reason in the operator."}`)
headers:
x-correlator:
description: Correlation id for the different services
schema:
type: string
content:
application/json:
schema:
$ref: '#/components/schemas/ErrorInfo'
examples:
PermissionDenied:
value:
status: 403
code: PERMISSION_DENIED
message: Client does not have sufficient permissions to perform this action
MaxOtpCodesExceeded:
value:
status: 403
code: ONE_TIME_PASSWORD_SMS.MAX_OTP_CODES_EXCEEDED
message: Too many OTPs have been requested for this MSISDN. Try later.
PhoneNumberNotAllowed:
value:
status: 403
code: ONE_TIME_PASSWORD_SMS.PHONE_NUMBER_NOT_ALLOWED
message: Phone_number can't receive an SMS due to business reasons in the operator.
Phone_number_blocked:
value:
status: 403
code: ONE_TIME_PASSWORD_SMS.PHONE_NUMBER_BLOCKED
message: Phone_number is blocked to receive SMS due to any blocking business reason in the operator.
Generic404:
description: Resource Not Found
headers:
x-correlator:
description: Correlation id for the different services
schema:
type: string
content:
application/json:
schema:
$ref: '#/components/schemas/ErrorInfo'
example:
status: 404
code: NOT_FOUND
message: A specified resource is not found
Generic406:
description: The server can not produce a response matching the content
headers:
x-correlator:
description: Correlation id for the different services
schema:
type: string
content:
application/json:
schema:
$ref: '#/components/schemas/ErrorInfo'
example:
status: 406
code: NOT_ACCEPTABLE
message: The server can't produce a response matching the content requested by the client through Accept-* headers
Generic415:
description: The server refuses to accept the request because the payload format is in an unsupported format
headers:
x-correlator:
description: Correlation id for the different services
schema:
type: string
content:
application/json:
schema:
$ref: '#/components/schemas/ErrorInfo'
example:
status: 415
code: UNSUPPORTED_MEDIA_TYPE
message: The server refuses to accept the request because the payload format is in an unsupported format
Generic429:
description: Either out of resource quota or reaching rate limiting
headers:
x-correlator:
description: Correlation id for the different services
schema:
type: string
content:
application/json:
schema:
$ref: '#/components/schemas/ErrorInfo'
example:
status: 429
code: TOO_MANY_REQUESTS
message: Either out of resource quota or reaching rate limiting
Generic500:
description: Server error
headers:
x-correlator:
description: Correlation id for the different services
schema:
type: string
content:
application/json:
schema:
$ref: '#/components/schemas/ErrorInfo'
example:
status: 500
code: INTERNAL
message: Server error
Generic503:
description: Service unavailable. Typically the server is down.
headers:
x-correlator:
description: Correlation id for the different services
schema:
type: string
content:
application/json:
schema:
$ref: '#/components/schemas/ErrorInfo'
example:
status: 503
code: UNAVAILABLE
message: Service unavailable
Generic504:
description: Request time exceeded. If it happens repeatedly, consider reducing the request complexity
headers:
x-correlator:
description: Correlation id for the different services
schema:
type: string
content:
application/json:
schema:
$ref: '#/components/schemas/ErrorInfo'
example:
status: 504
code: TIMEOUT
message: Request timeout exceeded. Try later.
externalDocs:
description: Project documentation at CAMARA
url: https://github.com/camaraproject/NumberVerificationSMS2FA