NRF Access Token Service

Feature Summary and Revision History

Summary Data

Table 1. Summary Data

Applicable Product(s) or Functional Area

5G-NRF

Applicable Platform(s)

SMI

Feature Default Setting

Disabled - Configuration Required

Related Changes in this Release

Not Applicable

Related Documentation

Not Applicable

Revision History

Table 2. Revision History

Revision Details

Release

First introduced.

2026.01

Feature Description

The NRF supports the Access Token service enabling the NF service consumers to request an OAuth2 access token from the authorization server (NRF).

The NRF Access Token service feature provides the following functionality:

  • The General Get Access Token Request procedure.

  • The access token request for a specific NF service producer (the targetNfInstanceId is present in AccessTokenReq).

  • The access token request not for a specific NF service producer (the targetNfType is present in AccessTokenReq).

  • The shared secret keys and public keys is stored as Secrets in K8s.

  • Policy driven authorization for issuing an access token based on the consumer and producer NFType combination.

  • Supports the HS256, RS256 and ES256 JWS algorithms for signing the generated Access Token.

  • Supports IPv6 address.

How it Works

The following sections describe how the NRF Access Token service feature works.

Deployment Considerations

This section describes the deployment aspects which are required for the Access Token service feature to work, but are outside the control of NRF NF services.

The following deployment considerations are applicable for the NRF Access Token service feature.

  • Key Management operations (Shared Key/Public /Private Keys) like Key generation, Key Provisioning, and Sharing the keys with producer NFs.

  • Key rotation mechanism and strategy.

  • Public and Private keys are in the .pem format. The pass phrase should not be used while generating a .pem.

  • ES256 uses prime256v1 (secp256r1) as the curve for Key Pair generation.


    Note

    In a single deployment, you can configure only one of the supported JWS algorithms (HS256, ES256, or RS256).

Access Token Request for a Specific NF Service Producer

  1. The NF sends a POST Access Token Request to NRF API endpoint. NF Update Request to the NRF API endpoint.

  2. The NRF API endpoint decodes, validates, and converts the POST request into a gRPC format to forward it to the NRF service engine.

  3. The NRF service engine gets the NF profiles from CDL based on the nfInstanceID of the NF consumer and producer.

  4. The NRF service engine authorize requests based on accessTokenNfProfileAuthorization/accessTokenAuthorizationPolicy configurations and generates Access Token based on the configured JWS algorithm (HS256, RS256, and ES256).

    The service engines creates and sends the Access Token Response as a gRPC message to the NRF API endpoint.

  5. The NRF API endpoint sends the Access Token Response to the NF consumer.

Access Token Request for not a Specific NF Service Producer

  1. The NF sends a POST Access Token Request to NRF API endpoint. NF Update Request to the NRF API endpoint.

  2. The NRF API endpoint decodes, validates, and converts the POST request into a gRPC format to forward it to the NRF service engine.

  3. The NRF service engine gets the NF profiles from CDL based on the nfInstanceID of the NF consumer.

  4. The NRF service engine authorize requests based on the accessTokenAuthorizationPolicy and generates Access Token based on the configured JWS algorithm (HS256, RS256, and ES256).

    The service engines creates and sends the Access Token Response as a gRPC message to the NRF API endpoint.

  5. The NRF API endpoint sends the Access Token Response to the NF consumer.

Configuring the NRF Access Token Service

This section describes how to configure the NRF Access Token service feature.

Configuration Example for Access Token Request for a Specific NF Service Producer
nrf-profile profile-settings access-token-jws-algo ES256
nrf-profile profile-settings access-token-jws-key "$8$jY+XpfP9BsotpBvqZCE26N3/
hHJ90xfjVu1AXDZFcftcvgk7nA4oHt1yIny1BzU8ssmZjQdK\naVxOHzKUUzIDOan4bCSo7w7wfK1Upn
AoQBn7fj25/ZP32Cb8YpUFHya5BpnP38skatRQfWNd\n64uv4EQMD/4+XUbILJ0U4zH2di+9cwtGhYmMym
+zwDpYEai0sO1HaUoabRsLbWD74s8MK1An\neNxRPAHwWd3oxfELFrl1mrwkkNl2d6vMBMVv2Rr8mM5WLsLbN
S3Isxwur25UAwjfs13Qy9kw\ngpMEmqqovVUDfNeHcmVQ+XuK2hBfdlHXjbgtOWljZqbAbyr6IFnwgg=="
Configuration Example for Access Token Request for not a Specific NF Service Producer
nrf-profile profile-settings access-token-jws-algo ES256
nrf-profile profile-settings access-token-jws-key "$8$jY+XpfP9BsotpBvqZCE26N3/
hHJ90xfjVu1AXDZFcftcvgk7nA4oHt1yIny1BzU8ssmZjQdK\naVxOHzKUUzIDOan4bCSo7w7wfK1Upn
AoQBn7fj25/ZP32Cb8YpUFHya5BpnP38skatRQfWNd\n64uv4EQMD/4+XUbILJ0U4zH2di+9cwtGhYmMym
+zwDpYEai0sO1HaUoabRsLbWD74s8MK1An\neNxRPAHwWd3oxfELFrl1mrwkkNl2d6vMBMVv2Rr8mM5WLsLbN
S3Isxwur25UAwjfs13Qy9kw\ngpMEmqqovVUDfNeHcmVQ+XuK2hBfdlHXjbgtOWljZqbAbyr6IFnwgg=="
nrf-profile profile-settings access-token-authorization-policy AMF
producer-nf-types [ UDM SMF ]
exit
nrf-profile profile-settings access-token-authorization-policy SMF
producer-nf-types [ UDM PCF ]
exit

Configuration Parameters

This section describes the configuration parameters for this feature.

Table 3. Configuration Parameters for NRF Access Token Service
Parameter Name Description Values
accessTokenJwsAlgoType JWS Algorithm used for Access Token. HS256/ RS256/ ES256
accessTokenJwsKey JWS Key corresponding to JWS Algo for Access Token. Shared Secret Key (HS256)/ Certificate (RS256 / ES256) corresponds to JWS Algorithm (string)
accessTokenValidityPeriod The time in minutes access token is valid from time of issue.

30..2880

Default Value: 180
accessTokenAuthorizationPolicy Authorization policy used for Access Token.

Eg:Policy1

accessTokenNfProfileAuthorization

 Authorize Access Token Requests based on nfProfile (for Access Token Request for a specific NF Service Producer).

True / False

Default Value: True
Table 4. Sample accessTokenAuthorizationPolicy Policy1
Consumer NFType Producer NFTypes
AMF SMF, UDM
SMF PCF, UDM