How it Works

This section describes how this role works. The AMF supports OAuth2 client authorization to NRF. This process gets executed with the following procedures:

  • Only when the nf-client profile gets configured with OAuth2-Enabled , where the value gets set as true for a nf-type , the AMF considers those profiles with OAuth2-Enabled as true value.

  • The AMF internally sends the AccessToken request to the NRF server, stores the received token in the cache. The same token gets reused until it expires.

  • When the profile gets selected and the token also received, the application includes the AccessToken in the Authorization header in the request toward NF producer.

  • If the nf-client profile doesn't get configured, that's when OAuth2 gets disabled on the consumer side. The AMF ignores those profiles with the oauth2Required and selects the producer among the rest of the profiles received in the discovery response.

  • For AMF to send an AccessToken request to NRF, endpoints must get configured in the CLI for service type OAuth2 and the same must be set in the profile nf-pair for each type, wherever OAuth2 already enabled.

  • When the OAuth2-Enabled gets set as true in the CLI and none of the discovered profiles from NRF has oauth2Required , then no profiles from the discovery get selected. It then reverts to the locally configured profiles. The AccessToken requests not sent as a locally configured profile, as it gets assumed as a base for the local trust policy. The NRF has no information about this development.

  • When the OAuth2-Enabled gets set to false status in the CLI and all the discovered profiles get oauth2Required enabled, then none of these profiles in the discovery get selected. It then reverts to the locally configured profiles. If none of these profiles get configured locally, then the call fails.

  • During the traffic running with the OAuth feature enabled, minimal numbers of 401-Unauthorized errors could be seen on the AMF side. To mitigate this risk, you can configure the failure handling template for all the possible causes (such as 401 error codes) to avoid any failed scenario of an end-to-end call.