Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support of Multi-SIM lines in CAMARA APIs #302

Open
jgarciahospital opened this issue Sep 20, 2024 · 10 comments
Open

Support of Multi-SIM lines in CAMARA APIs #302

jgarciahospital opened this issue Sep 20, 2024 · 10 comments
Labels
enhancement New feature or request Spring25

Comments

@jgarciahospital
Copy link

To be considered as part of #273

Intro

Current CAMARA APIs based their functionality on subscriber's line identity, usually phone_number. Specifically for mobile lines, that is a suitable identity for the most of scenarios, but there is an specific case that requires analysis.

MultiSIM lines

MNOs usually offer a line enhancement that allows users to install the same phone line (same MSISDN) in multiple devices, known as MultiSIM. Even when different technical solutions are posible, the service is based on multiple SIMs (phisical or virtual) that are binded to the same main phone_number, it is, multiple IMEIs associated to the same MSISDN This approach is commonly used to enable secondary/companion devices like:

  • Wearables
  • Tablets
  • Wi-Fi hotspots
  • Backup smartphones

MultiSIM in CAMARA APIs

While certain APIs are agnostic to MultiSIM situation, since they refer to information of the proper line or even subscriber like carrier billing, KYC, OTP..., other APIs are tied to a device and require a different consideration to be managed in a MultiSIM scenario.

Just as couple of examples:

  • when enabling a QoD session targeted for a MSISDN, if multiple SIMs and devices are associated to that same MSISDN, the telco need to know/decide which of those SIMs are to be affected. Behaviour need to be defined.
  • when verifying the location of an MSISDN, if multiple SIMs and devices are associated to that same MSISDN, the telco need to know/decide which device's location information to retrieve, since different geographical locations can co-exist for each device associated to the same MSISDN.

Action required

Based on this scenario analysis and handled by a common aligned approach for similar cases:
CAMARA APIs need to analyze their impact when a MultiSIM scenario is handled, define a specific behaviour and adapt the API (if needed)

As example of current discussions or defined behaviours, SIM Swap already considers MultiSIM lines as part of the information that the API needs to retrieve.

@eric-murray
Copy link
Collaborator

For the Vodafone implementation of multi-SIM, phoneNumber is still a valid identifier for each of the secondary devices, as each SIM still has its own MSISDN (the "secondary" MSISDN). For the "primary" device (usually the smartphone), the primary and secondary MSISDNs are the same.

Whether an implementation will treat a phoneNumber as the primary or secondary MSISDN is dependent on that implementation. For the Device Identifier API, I added a statement that phoneNumber would be treated as the secondary MSISDN, which would allow retrieval of the IMEI for secondary devices without affecting the ability to retrieve the IMEI for the primary device.

For at least some other APIs, I think treating the phoneNumber as the secondary MSISDN will also work just as well, but does pose the following questions:

  • How does the API consumer learn the secondary MSISDN if they do not already know it?
  • Are there any implementations of multi-SIM where secondary devices do not have their own MSISDN? If so, what identifiers for secondary devices are valid in those cases?

@jgarciahospital
Copy link
Author

Thanks @eric-murray,

Let me include one other question:

  • How does the API consumer learn the secondary MSISDN if they do not already know it?
  • Are there any implementations of multi-SIM where secondary devices do not have their own MSISDN? If so, what identifiers for secondary devices are valid in those cases?
  • How do we manage request when primary MSISDN is included? First because user may not be aware of the rest of secondary MSISDNs (if exist), and second because applications will for sure only have the primary.
  1. Either consider that the users know that primary device is exactly the device identifier they want to use.
  2. Or consider that maybe the user/developer only knows the primary MSISDN, and therefore we cannot be sure that they are targeting exactly primary device and a different behaviour need to be considered for the rest of devices too.

@sachinvodafone
Copy link
Collaborator

for MultiSim definition clarification, just checking whether we are considering multi-SIM as a scenario where both devices have separate MSISDNs under one account (i.e., the primary device has its own MSISDN, and each secondary device has its own distinct MSISDN), allowing each device to operate independently without sharing call/message capabilities?

Or, are we considering scenarios where secondary devices share the same MSISDN as the primary device, meaning all devices are linked to the same number under the same account, enabling users to receive calls and messages on any of the devices?

@jlurien
Copy link
Contributor

jlurien commented Oct 21, 2024

It's the second one @sachinvodafone, several SIMs (IMSI) linked (publicly) to the same MSISDN. Implementations may assign internally a secondary MSISDN to each SIM, for network operation, but in general customers are not aware of this secondary MSISDN.

@AxelNennker
Copy link
Contributor

I think this is only a problem with CIBA, right?

If the authentication request is from one of the devices with the same MSISDN and the API consumer is using OIDC authorization code flow then the device can be uniquely identified. The access token is then associated with that device.
The access token does not even need to be associated with the MSISDN.

@eric-murray
Copy link
Collaborator

@AxelNennker

I think this is only a problem with CIBA, right?

This issue also applies to client_credentials grant

@AxelNennker
Copy link
Contributor

@eric-murray

This issue also applies to client_credentials grant

client_credentials and CIBA currently use the MSISDN.
If the device cannot be determined by the MSISDN, then bummer.

In client_credentials with MSISDN, I see no solution. We would need some other shared identifier e.g. iccid
In CIBA the MNO could provide a device-selection UI on the authentication device, but standardizing UI (capabilities) is not going to happen in my lifetime. I think that is possible, but unlikely to happen.

For OIDC authorization code flow, we do not have a problem for tablets and (backup) smartphones.

Wi-Fi Hotspots and Wearables fall in the standard OAuth2 use case of limited UI-capability devices like picture frames.
If the devices can show a e.g. a code or qrcode then, we are back to OAuth2. That can be made to should work with OpenId.
If we limit the devices to near-zero or zero UI-capabilities, then I would question the business viability of this use case.
Those devices are usually not running an standard OS and their capabilities vary at lot. Availability of Wifi or Bluethooth, hardware buttons and (touch-)screens. It is near to impossible to find a CAMARA solution that is not proprietary, I think.
This kind of hardware exists today and they have found solutions for their problems.
With wearables, I think, we are might be more in TS.43 territory and associating a secondary device with a primary device
Additionally, the danger of privacy and freedom violations are huge when the UI-capabilities on the device are low e.g. when the CAMARA API used is Device-Location.

My conclusion:
If the device is able to run a browser or mobile app, then use OIDC authorization code flow and there is no problem because we can identify the device directly and e.g. associate the access token with the IMSI.
I think that use case is the most important business case.

CIBA depends too much on the UI-capabilities of the device. I see no relevant business case.

client_credentials does not work if the only device identifier the API consumer and the operator share is the MSISDN.

Use OIDC authorization code flow and be happy!

@jlurien
Copy link
Contributor

jlurien commented Nov 14, 2024

API specs are decoupled of the authorization method used to get the access token. Each operation just assumes that we have an access token and eventually some device/phoneNumber identification, and it would be good if information within each API gave some guidelines for the implementation. But I wouldn't expect a single solution applicable to every CAMARA API, as part of the Commonalities guidelines.

The problematic case is when input is a MSISDN assigned as common phoneNumber for a multiSIM pack, and an instance of SIM within the multi-SIM pack cannot be deducted from the access token. Options in this case are:

  • To adapt the logic for the multiSIM case, keeping the same response schema.

    • This is, for example, what sim-swap proposes. For other APIs it may work as well (device-status. location-verification, etc). For others, like quality-on-demand or location-retrieval is not that simple. WGs may decide to document in the API spec a common approach to the problem, or leave some space for implementations to act upon the case.
  • API server cannot fulfill the request if a single instance is not identifiable by means of the access token.

    • Then an error response makes sense. From the current set of proposed error codes, the one that is more suitable, IMO, is 422 SERVICE_NOT_APPLICABLE (The service is not available for the provided identifier), or even the generic 422 Unprocessable Content
    • Although it wouldn't be clear if service is not available for multiSIM lines, or if the service is potentially available for multiSIM lines, but the combination of access token + provided identifier is not processable. Implementations may provide some additional guideline by means of the message in the error response.

@AxelNennker
Copy link
Contributor

I think that IMSI is in most cases the best identifier associated with the access token.
IMSI definitely solves the Multi-SIM use case's problem if the MNO can associate the IMSI (and maybe IMEI) to the access token.

CIBA does not work with Multi-SIM. Usually there is exactly one SMS-device defined for the MSISDN and the CIBA message would end up at the SMS-device for user authentication and consent collection but that does not identify which device is the intended one.
For CIBA there could be a way out if the link send to the SMS device would link to a device-selection page at the MNO but that probably would lead to inconsistent flows because one MNO might implement device-selection while others won't.

Client-credentials flow does work in the Multi-SIM case. The API provider could the return the roaming status of all devices with that msisdn but that seems to be somewhat of a privacy invasion.

Maybe the device-status API should include information whether the MSISDN is a multi-sim msisdn?!

Multi-SIM is also something to consider if the MNO implemented some privacy/consent/transparency management API or web-pages.
Can the user grant consent to all APIs for all devices with that MSISDN?
Can the user opt-out for an API for all API consumers with that MSISDN?
Or can the user treat the devices individually?

So, what do we tell API consumer who bought a CAMARA API?
"Dear API Consumer, regarding API X, if the end-user has Multi-SIM you cannot use CIBA nor can you use client credentials flow. You must use OIDC authorization code flow"
or do we tell the API consumer:
"Dear API Consumer, just x% of all end-users served by CAMARA have Multi-SIM. Those x% are negligible. Getting an access token for those end-users will fail"

If a MNO is a CIBA-only or client-credentials-only API producer who only ever implements no-user-consent-needed use-cases then they would likely return an error (device_unknown_multi_sim?) to the authentication request for that Multi-SIM MSISDN.
Would then all other MNOs return an error for consistency reasons?

Multi-SIM support might be a business decision that we cannot solve on a technical level. Business stream?

@AxelNennker
Copy link
Contributor

I created a PR for DeviceIdentifier to remove text about Multi-SIM.
camaraproject/DeviceIdentifier#89
Not because I think that text about multi-sim is not needed - I think the API consumer should know about the multi-sim case.

I would like to avoid text about multi-sim like what we currently have in QoD which basically says that one MNO might implement QoD this way and a different MNO might implement QoD in a different way.

If the phone number is used as the device identifier when provisioning in a multi-SIM scenario, the API may respond with an error, apply the provisioning to all devices in the multi-SIM group, or apply the provisioning to a single device in the multi-SIM group which may not be the intended device.
This a good clarification, but still, I think, we should avoid that a CAMARA API has ambiguous results.

DeviceLocation has an open issue on Multi-SIM support since Sep '23
camaraproject/DeviceLocation#257

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request Spring25
Projects
None yet
Development

No branches or pull requests

6 participants