Initial API proposal #11
Conversation
eric-murray
requested review from
GillesInnov35 and
grgpapadopoulos
as code owners
Updates to keep linter happy
Remove 404 error
There was a problem hiding this comment.
hi @eric-murray , thanks a lot for this good proposal, it's OK. I've a question on what we've started to discuss on discussions #7 and #8. What do you think about adding those rules in the API overview.
|
@GillesInnov35 But there is no need to wait for these rules to be agreed before merging this PR. This is just a "work in progress" version, which will be subject to further updates before being released as an initial version. Further updates can be pushed to the repository as they are agreed. |
|
Thanks @GillesInnov35 I won't merge this until others have raised any questions they may have, and have given their approval as well. It should also be discussed during at least one of the bi-weekly KYC meetings. As the next meeting is tomorrow, I think we are looking at waiting until after the subsequent meeting before merging this. And I also need approval for PR #13. Currently, the YAML linter does not like line lengths more than 80 characters. That PR is required so that that rule can be disabled. |
Hi @GillesInnov35. I was re-adding @camaraproject/tenure_maintainers as a reviewer to bring this PR to the attention of Telefonica, who have no codeowner for this repository, but are maintainers. Now I have just added @claraserranosolsona and @jgarciahospital directly as reviewers, which is perhaps simpler. I would like Telefonica feedback on this proposal before merging. |
|
Hi @eric-murray, tenureDateCheck is currently a boolean attribute. I wonder if the API will have also to return the information that the date comparison could not been done because the MNO do have the correct information, and then return "not_available". BR |
|
Can you clarify your proposal? Is this to handle mobile subscribers for which no answer can be given, because their The assumption behind the API design was that each mobile subscriber has a recorded tenure date with no limit on how long ago that was. So if a subscriber had the same MSISDN for, say, 20 years, then the tenure date would be known to be 20 years ago, and not "more than 10 years", for example. Do we need to consider making the requested Because |
|
Thanks Eric BR |
|
Other way, would be to return the date when the line was opened. |
Commonalities provide an error that can be used when a given service does not apply to a given "device" (in this case, subscription): This was intended for cases such as querying the SIM Swap API with a fixed line phone number. I included this error in the proposed YAML. Curiously, the SIM Swap API did not adopt this error, but instead defines: which is maybe because "device" can be viewed as a confusing term to use when it is identifying the subscription. But the mechanism is the same - there is an explicit 422 error defined for this case, rather than returning a 200 response which, on closer inspection, turns out to be an error. |
|
Thanks Eric, OK it works and the response error seems to be clear. So "not-available" is not useful. Gilles |
|
Hi Eric, It may be better to follow the SIm Swap 422 error message, because it is indeed for the phone number (and not the device) |
There was a problem hiding this comment.
Hi @eric-murray! Thanks for crafting the initial PR.
Sorry for the late review, from TEF we are also interested in this API.
| status: 404 | ||
| code: NOT_FOUND | ||
| message: The specified resource is not found. | ||
| GENERIC_404_DEVICE_NOT_FOUND: |
There was a problem hiding this comment.
DEVICE_* errors are specific to endpoints that have the device object as input. Here we only have the phone number. It should be aligned with other APIs that use the same format like sim swap or number verification.
I think the standard 404 can cover this error
There was a problem hiding this comment.
I just took the standard errors defined by Commonalities and added then to the first YAML proposal. I agree that some find the term "DEVICE" confusing, but nonetheless we are using phoneNumber to identify what CAMARA calls the "device", but in our case means "device subscription". Just because we exclude IP addresses or the network access identifier does not change that.
So DEVICE_NOT_FOUND is the error code we should be returning when the "device identifier" (in our case, subscription identifier) provided by the API consumer is not one that the API provider knows anything about. NOT_FOUND is the generic code to return when the thing not found is not a "device".
We can maybe argue that the CAMARA concept of a "device" is too broad, and we should clearly separate "physical device" from "device subscription", and maybe have special rules for phoneNumber only. But that is a discussion to have in Commonalities.
There was a problem hiding this comment.
I just took the standard errors defined by Commonalities and added then to the first YAML proposal. I agree that some find the term "DEVICE" confusing, but nonetheless we are using
phoneNumberto identify what CAMARA calls the "device", but in our case means "device subscription". Just because we exclude IP addresses or the network access identifier does not change that.
I don't agree with this statement. The Commonalities documentation, both for the errors and the info.description section, refers to the device object, not the concept of device.
Here we are not using the phone number as a device identifier, we are using it as a subscription identifier. I think that the concept of "device subscription" is misleading in this context. Is there an example API in CAMARA where the device object is not referring to a physical device? I only know Device Status and Device Location. There is also Device Swap which doesn't use the device object.
There was a problem hiding this comment.
I was thinking the API applied to all networks, but remember now it was mobile networks only. So forget "device subscription", and let's define "mobile subscription" and "physical mobile device".
-
So the
Deviceobject can be used to identify subject of the API, and this can be either the mobile subscription or the physical mobile device. Both meanings are possible. -
Similarly, the
phoneNumbercan be used to identify the subject of the API, and again can be either the mobile subscription or the physical mobile device. This is to be expected, asphoneNumberis also a field of theDeviceobject. -
Whether "mobile subscription" or "physical mobile device" is intended as the subject is entirely dependent on the context of the individual API. For this API, it is "mobile subscription", but that could have been identified using a
Deviceobject. I thought that cumbersome for this use case, so proposedphoneNumberonly. -
In general, this API will be called using a 3-legged token. So the API consumer will generally not call the API with either an explicit
phoneNumberor (if it had been defined instead) and explicitDeviceobject. WhetherphoneNumberorDeviceobject is specified in the YAML makes no difference to how the 3-legged token is obtained and used. -
We (as API definers) have no idea what specific identifier is associated with the access token by all possible API providers. It does not have to be MSISDN. It does not even have to be requested using MSISDN in the
login_hint, asipport:is entirely acceptable for generating an access token. Access tokens can be valid for for multiple APIs, and whether the end user identifier associated with the access token is used to identify the mobile subscription or the physical mobile device is entirely dependent on the context of each API that the access token is valid for. -
Because we must define the possibility to pass an explicit mobile subscription identifier as the subject in the case that a 2-legged access token is used (this will not be the normal case) we open ourselves up to 2 additional errors:
- The API consumer uses a 3-legged token but then anyway specifies an explicit mobile subscription identifier
- The API consumer uses a 2-legged token, but does not specify any explicit mobile subscription identifier
-
These error cases were considered by Commonalities, who defined two new error codes:
DEVICE_IDENTIFIERS_MISMATCHwhen a 3-legged token is provided but also an explicit identifier for a different mobile subscription or physical mobile deviceUNIDENTIFIABLE_DEVICEwhen a 2-legged token is provided, but no explicit identifier for a different mobile subscription or physical mobile device
Now Commonalities have not documented this as well or as comprehensively as it could be, but the important point is that, whether the intended subject of the API is the mobile subscription or the physical mobile device, the error is the same, and hence the same error code should be used.
Defining new error codes just because the explicit subject identifier is restricted to phoneNumber rather than being the more general Device object, or because of an objection to using the term "DEVICE_" when the subject is a mobile subscription is pointless, and increases implementation complexity (for both API consumer and provider).
The error message can always be customised, as these are just examples, and so I am happy to define more relevant error messages. But new error codes not defined by Commonalities should go through Commonalities first, and not just be introduced by APIs arbitrarily.
In this case, I think we could remove all objections by asking Commonalities to rename the error codes to something like DEVICE_OR_SUBSCRIPTION_IDENTIFIER_MISMATCH and UNIDENTIFIABLE_DEVICE_OR_SUBSCRIPTION respectively.
There was a problem hiding this comment.
Hi Eric,
I agree the same error code should be used, but I think the use of the word device is leading to confusion. because people may think this refers to hardware.
One suggestion from my side : It may be a better idea to use for example IDENTIFIER_MISMATCH and MISSING_IDENTIFIER in stead of DEVICE_IDENTIFIERS_MISMATCH and UNIDENTIFIABLE_DEVICE. This keeps it in the middle what identifier it is, and also does not point to a device or sim card.
There was a problem hiding this comment.
sorry Eric, my comment was not clear. Those 2 errors with associated messages are already available in Simswap and to have consistent API development we need also 422 error.
There was a problem hiding this comment.
Those 2 errors with associated messages are already available in Simswap and to have consistent API development we need also 422 error.
SIM Swap should have complied with CAMARA Commonalities guidelines on Error Responses, and that requirement will remain as the guidelines are updated.
So SIM Swap will need to update its error response codes (but not necessarily the error message) in any future version to be CAMARA compliant. This is a consequence of SIM Swap defining custom error messages and not engaging with Commonalities. But there is no obligation to update - SIM Swap can continue as v1.0.0 forever.
But we can't have the situation where new APIs unrelated to SIM Swap maintain an ongoing non-compliance with CAMARA guidelines solely to simplify the development tracks of some API providers.
There was a problem hiding this comment.
Hi @eric-murray @GillesInnov35
I also feel more comfortable aligning with what was decided for Sim Swap. I don't share the opinion that it was not compliant with commonalities, it was not a random decision, there was a reasoning behind.
I like the path that this issue is taking in commonalities but maybe waiting for it to be formilize in Spring25 is too long.
There was a problem hiding this comment.
hi @eric-murray @fernandopradocabrillo, I think we should made a decision before Sring25.
Thanks
BR
Gilles
There was a problem hiding this comment.
@fernandopradocabrillo
OK. I'll add the 422 codes NOT_SUPPORTED and UNIDENTIFIABLE_PHONE_NUMBER, and then we can review once the next release of the Commonalities guidelines is available.
code/API_definitions/kyc-tenure.yaml
Outdated
| GENERIC_422_DEVICE_IDENTIFIERS_MISMATCH: | ||
| description: Inconsistency between device identifiers not pointing to the same device | ||
| value: | ||
| status: 422 | ||
| code: DEVICE_IDENTIFIERS_MISMATCH | ||
| message: Provided device identifiers are not consistent. | ||
| GENERIC_422_DEVICE_NOT_APPLICABLE: | ||
| description: Service is not available for the provided device | ||
| value: | ||
| status: 422 | ||
| code: DEVICE_NOT_APPLICABLE | ||
| message: The service is not available for the provided device. | ||
| GENERIC_422_UNIDENTIFIABLE_DEVICE: | ||
| description: No identifier provided for any device | ||
| value: | ||
| status: 422 | ||
| code: UNIDENTIFIABLE_DEVICE | ||
| message: No identifier provided for any device |
There was a problem hiding this comment.
Same as the previous comment. Here the device object is not used.
- DEVICE_IDENTIFIERS_MISMATCH -> since there are no multiple identifiers in the input this one makes no sense here. It is used, for example, when providing an ip and a phone number from different devices.
- DEVICE_NOT_APPLICABLE -> in Sim swap we defined 422
NOT_SUPPORTEDto indicate that the service is not supported for the provided phone number - UNIDENTIFIABLE_DEVICE -> Adapted to
UNIDENTIFIABLE_PHONE_NUMBERwith the same meaning but for APIs that use the phone number as input
references for the errors discussions:
camaraproject/SimSwap#117
camaraproject/Commonalities#145 (comment)
There was a problem hiding this comment.
phoneNumber is a subset of the Device object, and I don't think special rules should apply just because we propose not to allow device subscriptions to be identified by IP address or network access identifier.
But also, and this is important, a 3-legged token can be generated from the IP address. So just because we do not explicitly allow IP address as a device subscription identifier does not mean that IP address cannot be used to generate a 3-legged token.
More specifically:
DEVICE_IDENTIFIERS_MISMATCHis intended when the "device" identified by a 3-legged token is different to that explicitly passed (in this case, byphoneNumber). There are privacy issues here if we confirm whether or not the identifiers match, so this one may yet be removed by Commonalities.DEVICE_NOT_APPLICABLEis what SIM Swap should have used rather than define their own error codeUNIDENTIFIABLE_DEVICEis when a 2-legged token is used with nophoneNumberbeing provided.
I don't like that APIs define new error codes without discussing this in Commonalities and getting them standardised.
There was a problem hiding this comment.
DEVICE_IDENTIFIERS_MISMATCH is redundant because of the privacy issues, so I removed it
There was a problem hiding this comment.
See this comment. Proposal would be to use SERVICE_NOT_APPLICABLE and MISSING_IDENTIFIER.
| Other errors may be returned as specified below. | ||
| # Identifying a device from the access token |
There was a problem hiding this comment.
| # Identifying a device from the access token | |
| # Identifying a phone number from the access token |
There was a problem hiding this comment.
A 3-legged token may be generated from the device IP address
There was a problem hiding this comment.
See Commonalities #324 for updated text proposal
|
The What does need to be standardised are the Commonalities should tighten up code definitions for the next update of their design guidelines, so let's see what they define then. |
Co-authored-by: Fernando Prado Cabrillo <pradocabrillo.fernando@gmail.com>
What type of PR is this?
What this PR does / why we need it:
This is the initial proposal from Vodafone for the KYC Tenure API
Which issue(s) this PR fixes:
Fixes #12
Special notes for reviewers:
None
Changelog input
Additional documentation
None