Sim swap alignement with commonalities 0.5

[bigludo7]

What type of PR is this?

Add one of the following kinds:

• enhancement/feature

What this PR does / why we need it:

Alignement of sim_swap.yaml, sim_swap-retrieveDate.feature and sim_swap-check.feature with commonalities 0.5 rules.
See detail in release note

Which issue(s) this PR fixes:

Fixes #161

Special notes for reviewers:

This is breaking change.

Changelog input

release-note
sim_swap.yaml:
- Change error structure definition to normalize error & status
- Update error code to introduce 429
- Remove 5xx errors
- Change in 422 code
- Add 3-legged token examples
- Improve documentation part

sim_swap-retrieveDate.feature:
- update test case scenario for 422
- Add optional test case for 401 AUTHENTICATION_REQUIRED

sim_swap-check.feature:
- update test case scenario for 422
- Add optional test case for 401 AUTHENTICATION_REQUIRED

Additional documentation

This section can be blank.

docs

[github-actions]

🦙 MegaLinter status: ✅ SUCCESS

Descriptor	Linter	Files	Fixed	Errors	Elapsed time
✅ ACTION	actionlint	2		0	0.02s
✅ OPENAPI	spectral	2		0	3.21s
✅ REPOSITORY	git_diff	yes		no	0.01s
✅ REPOSITORY	secretlint	yes		no	0.8s
✅ YAML	yamllint	2		0	0.63s

See detailed report in MegaLinter reports

MegaLinter is graciously provided by

[gregory1g]

For SimSwap a subject of the API is a phone number, not a device. The "device-centric" language is misleading.

[bigludo7]

Agreed. I will apply.

[bigludo7]

done

[gregory1g]

What "field" other than the phoneNumber can it be?

[bigludo7]

I followed what is described in the CAMARA_common.yaml

I tend to think that this error should not be triggered in our case because if you pass a 3-legs access token identifying the phone number and a phone number in the body the 422 UNNECESSARY_IDENTIFIER must be triggered.

[gregory1g]

Yes, I understood that you follow commonalities. But should we really copy paste its wording 1:1 when we know better. A developer will read this text and can be confused.

And you are right - with the change this PR introduces, this check will not be executed: 422 to be returned without checking if both match or not. Let's remove it.

[bigludo7]

Yes make sense for me. to remove ut but I would like to hear from @fernandopradocabrillo before to proceed.

Fernando do you think we can remove 403 INVALID_TOKEN_CONTEXT ? as we do not see when this error will be triggered.

[gregory1g]

I agree with the logic of the change, but this is a not-backward compatible change. Currently one may send 3-legged token and the phoneNumber (even if this is not recommended), with this change this will cause a error.

[bigludo7]

Agree we have a breaking change here but we have to follow commonalities. Indeed, If you use 3-legs access token with a phoneNumber in the body you'll have a 422 UNNECESSARY_IDENTIFIER while previously it worked.

As a reminder we introduced this to avoid 'hidden' number verification

[gregory1g]

The purpose of my comment was to highlight this, and make sure that the consequences of new commonalities are not overlooked.

[bigludo7]

@fernandopradocabrillo @gregory1g Following camaraproject/Commonalities#369 discussion I think it's fair to remove 403 INVALID_TOKEN_CONTEXT example in the yaml.

May I ask you to review this new proposal soon as we have to prepare the RC candidate before Jan17th. We can still modify after but we have to achieve the milestone.

[gregory1g]

If this error for 3-legged token invocation only it should not say "not included in the request", because this is not allowed for the 3-legged invocation.

If the error is generic it should not explicitly mention 3-legged token (because it could be a 2-legged token). Like "An identifier is not included in the request and the device or phone number identification cannot be derived from access token".

Since "MISSING_IDENTIFIER" error message uses a generic "access token" style, I suggest to use generic style here as well.

[bigludo7]

This is generic.
I followed commonalities guideline see here.

I suggest @gregory1g that you post your comment in commonalities as it makes sense.

[gregory1g]

created an issue there: camaraproject/Commonalities#370

[gregory1g]

according to Eric, commonality's "description" is not a error message to be send, it is a description for the reader of the table in the document. While example of the message is in the "Message example" column. An this is just an example, different API can use different text

[bigludo7]

Proposal discussed with @fernandopradocabrillo : We propose to add precision about this error in the Test Case

[bigludo7]

I've reworked the yaml & TC to add all clarification - please review.

[gregory1g]

"to identify a device" this is not the case, the API does not need to identify a device at all. MSIDN is subscription ID, not a device ID. And the API implementation does not need to identify the device either.
Considering that API description targets application developers, using "device" is rather misleading. It makes a reader think that this API target exact phone unit like geo location APIs do.

[bigludo7]

Fixed accordingly

[eric-murray]

using "device" is rather misleading

One of the advantages of the CAMARA approach is that application developers can use APIs such as SIM Swap without knowing (or learning) the MSISDN at all. All they need to do is identify a device using the subscription, and capture its IP address. I think ruthlessly expunging "device" from our documentation and baking in "phone number" mean this possibility gets overlooked.

It would be nice if we could come up with some "developer friendly" formulation of words which also captures this possibility, as there will be use cases out there that would benefit from this approach if only developers were aware of it.

[bigludo7]

@eric-murray To be sure to follow you - as in the body we can only use the phone number - you want to highlight the point that via the 3-legged token we can value in the login-hint other identifier like ip?

[eric-murray]

@bigludo7
No, it was just a general comment - I'm not expecting the documentation to be updated because of it.

Using a 2-legged access token and explicit identifier will very much be the exception for CAMARA APIs, and yet it is the definition of the explicit identifier that dominates the API description. For the normal case of a 3-legged access token, the token itself is not classified as a "device" token or "phone number" token. The very same token could be used for both a "phone number" API (such as SIM Swap) and a "device" API (such as Device Status).

If 3-legged tokens were the only option, we would not have to go through these mental gymnastics of documenting an API as either a "device" API or a "phone number" API. It is to be hoped that we can come to some agreement on a common formulation for the documentation that reveals this capability to developers without confusing them.

[eric-murray]

SimSwap can potentially processes an IP as an input

For a 3-legged access token, the "processing" will already have been done. The SIM Swap API itself does not need to do anything different.

I take the point that IP as a device identifier is not persistent. An API consumer cannot capture the IP address and expect to use that the following week to check the SIM Swap status of the associated subscription. But if they immediately obtain an access token for that IP, then they can check the SIM Swap status for the subscription used by that device, all without even knowing what the MSISDN is.

It is this possibility I think gets overlooked - using "phone number" APIs without knowing the phone number.

[gregory1g]

my point was that SimSwap does not target a device, it targets an MSISDN.

[eric-murray]

SIM Swap targets the mobile subscription. The API consumer does not need to know the MSISDN to use the API.

[bigludo7]

@gregory1g @eric-murray Does this discussion prevent me to merge this PR? with the M3 at the horizon we need to move forward for the yaml & work on the other asset. I can try to copy paste your comment in the discussion?

[eric-murray]

@bigludo7
No changes needed, just proceed with the M3 as planned.

Probably the full range of use cases that can be supported by an API can be better advertised through developer portals rather than the YAML documentation anyway. But we can maybe think later on how we can better document what a developer needs to know or needs access to in order to use an API.

[gregory1g]

"the subject will be identified from the optional phoneNumber identifier" says that the phoneNumner is not the subject of the API, but just a helper to identify the device. This is confusing. The original terminology was simpler to understand. Especially when one also reads documentation for other API which really target a device.

[bigludo7]

Fixed accordingly

[gregory1g]

Suggestion: use "phoneNumer" instead of "subject" - it is still a single word and it is simpler to understand.

[bigludo7]

Fixed accordingly

[fernandopradocabrillo]

LGTM

[bigludo7]

Thanks @fernandopradocabrillo
I've applied your suggestion so I need again your approval.

@gregory1g : Any blocker on your side for approval?

[gregory1g]

lgtm