-
Notifications
You must be signed in to change notification settings - Fork 28
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Do not _extract_ the device identification from the access token #268
Comments
I see your point... wording could be revisited if current description is misleading. The device identification can be derived from information associated with the access token. However, this information is not necessarily contained in the access token itself. |
The came up for the Device Identifier API, and the proposed wording is now:
For that API, it is important to distinguish between the mobile subscription identifier and the physical device identifier, hence the quite specific wording. A more generic wording would be:
|
There is an assumption on the association between the device and the 3-legged access token - it is that the telco provider needs to record or associate the physical device used to call the For e.g. can one use a web interface of an app (instead of native app) that uses QoD API from a desktop and get an access token assuming the front-end flow is enabled by the API provider? It is still a valid use case to request a QoD session for the mobile device by passing the |
Problem description
The Appendix A: info.description template for device identification from access token contains text that gives the impression that some information can be "extracted" from the access token and that that information is therefore in the access token.
OAuth2, OIDC and Camara ICM do not specify the format of the access token. The access token can be self-contained and then would in fact contain said information or the access token is a reference to a database where the wording extract from the access token would not make much sense.
Expected behavior
Use language that does not suggest how access-tokens are implemented.
The text was updated successfully, but these errors were encountered: