-
Notifications
You must be signed in to change notification settings - Fork 28
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support of Multi-SIM lines in CAMARA APIs #302
Comments
For the Vodafone implementation of multi-SIM, Whether an implementation will treat a For at least some other APIs, I think treating the
|
Thanks @eric-murray, Let me include one other question:
|
for MultiSim definition clarification, just checking whether we are considering multi-SIM as a scenario where both devices have separate MSISDNs under one account (i.e., the primary device has its own MSISDN, and each secondary device has its own distinct MSISDN), allowing each device to operate independently without sharing call/message capabilities? Or, are we considering scenarios where secondary devices share the same MSISDN as the primary device, meaning all devices are linked to the same number under the same account, enabling users to receive calls and messages on any of the devices? |
It's the second one @sachinvodafone, several SIMs (IMSI) linked (publicly) to the same MSISDN. Implementations may assign internally a secondary MSISDN to each SIM, for network operation, but in general customers are not aware of this secondary MSISDN. |
I think this is only a problem with CIBA, right? If the authentication request is from one of the devices with the same MSISDN and the API consumer is using OIDC authorization code flow then the device can be uniquely identified. The access token is then associated with that device. |
This issue also applies to client_credentials grant |
client_credentials and CIBA currently use the MSISDN. In client_credentials with MSISDN, I see no solution. We would need some other shared identifier e.g. iccid For OIDC authorization code flow, we do not have a problem for tablets and (backup) smartphones. Wi-Fi Hotspots and Wearables fall in the standard OAuth2 use case of limited UI-capability devices like picture frames. My conclusion: CIBA depends too much on the UI-capabilities of the device. I see no relevant business case. client_credentials does not work if the only device identifier the API consumer and the operator share is the MSISDN. Use OIDC authorization code flow and be happy! |
API specs are decoupled of the authorization method used to get the access token. Each operation just assumes that we have an access token and eventually some device/phoneNumber identification, and it would be good if information within each API gave some guidelines for the implementation. But I wouldn't expect a single solution applicable to every CAMARA API, as part of the Commonalities guidelines. The problematic case is when input is a MSISDN assigned as common phoneNumber for a multiSIM pack, and an instance of SIM within the multi-SIM pack cannot be deducted from the access token. Options in this case are:
|
I think that IMSI is in most cases the best identifier associated with the access token. CIBA does not work with Multi-SIM. Usually there is exactly one SMS-device defined for the MSISDN and the CIBA message would end up at the SMS-device for user authentication and consent collection but that does not identify which device is the intended one. Client-credentials flow does work in the Multi-SIM case. The API provider could the return the roaming status of all devices with that msisdn but that seems to be somewhat of a privacy invasion. Maybe the device-status API should include information whether the MSISDN is a multi-sim msisdn?! Multi-SIM is also something to consider if the MNO implemented some privacy/consent/transparency management API or web-pages. So, what do we tell API consumer who bought a CAMARA API? If a MNO is a CIBA-only or client-credentials-only API producer who only ever implements no-user-consent-needed use-cases then they would likely return an error (device_unknown_multi_sim?) to the authentication request for that Multi-SIM MSISDN. Multi-SIM support might be a business decision that we cannot solve on a technical level. Business stream? |
To be considered as part of #273
Intro
Current CAMARA APIs based their functionality on subscriber's line identity, usually phone_number. Specifically for mobile lines, that is a suitable identity for the most of scenarios, but there is an specific case that requires analysis.
MultiSIM lines
MNOs usually offer a line enhancement that allows users to install the same phone line (same MSISDN) in multiple devices, known as MultiSIM. Even when different technical solutions are posible, the service is based on multiple SIMs (phisical or virtual) that are binded to the same main phone_number, it is, multiple IMEIs associated to the same MSISDN This approach is commonly used to enable secondary/companion devices like:
MultiSIM in CAMARA APIs
While certain APIs are agnostic to MultiSIM situation, since they refer to information of the proper line or even subscriber like carrier billing, KYC, OTP..., other APIs are tied to a device and require a different consideration to be managed in a MultiSIM scenario.
Just as couple of examples:
Action required
Based on this scenario analysis and handled by a common aligned approach for similar cases:
CAMARA APIs need to analyze their impact when a MultiSIM scenario is handled, define a specific behaviour and adapt the API (if needed)
As example of current discussions or defined behaviours, SIM Swap already considers MultiSIM lines as part of the information that the API needs to retrieve.
The text was updated successfully, but these errors were encountered: