Merge pull request #418 from tlohmar/main

Clarification of the protocol and sink properties in the subscription…
camaraproject · Feb 19, 2025 · b720866 · b720866
2 parents d9bdebb + b2c10b7
commit b720866
Showing 1 changed file with 6 additions and 6 deletions.
diff --git a/documentation/API-design-guidelines.md b/documentation/API-design-guidelines.md
@@ -83,7 +83,7 @@ This document captures guidelines for the API design in CAMARA project. These gu
       - [subscription-ends event](#subscription-ends-event)
       - [Error definition for event notification](#error-definition-for-event-notification)
       - [Correlation Management](#correlation-management)
-      - [Security Considerations](#security-considerations)
+      - [Notifications Security Considerations](#notifications-security-considerations)
       - [Abuse Protection](#abuse-protection)
       - [Notification examples](#notification-examples)
   - [Appendix A (Normative): `info.description` template for when User identification can be from either an access token or explicit identifier](#appendix-a-normative-infodescription-template-for-when-user-identification-can-be-from-either-an-access-token-or-explicit-identifier)
@@ -1668,8 +1668,8 @@ Providing this capability is optional for any CAMARA API depending on UC require
 If this capability is present in CAMARA API, the following attributes **must** be used in the POST request :
 
 | attribute name | type   | attribute description                                                                                                                                                                                                                                                                                       | cardinality |
-|----------------|--------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------| 
-| sink           | string | https callback address where the notification must be POST-ed, `format: uri` should be used to require a string that is compliant with [RFC 3986](https://datatracker.ietf.org/doc/html/rfc3986).                                                                                                                                                                                                                                        | mandatory   |
+|----------------|--------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|
+| sink           | string | https callback address where the notification must be POST-ed, `format: uri` should be used to require a string that is compliant with [RFC 3986](https://datatracker.ietf.org/doc/html/rfc3986).  The [security considerations](#notifications-security-considerations) should be followed.                | mandatory   |
 | sinkCredential | object | Sink credential provides authentication or authorization information necessary to enable delivery of events to a target. In order to be updated in future this object is polymorphic. See detail below. It is RECOMMENDED for subscription consumer to provide credential to protect notification endpoint. | optional    |
 
 Several types of `sinkCredential` could be available in the future, but for now only access token credential is managed.
@@ -1759,8 +1759,8 @@ The following table provides `/subscriptions` attributes
 
 | name           | type               | attribute description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | cardinality                  |
 |----------------|--------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------| 
-| protocol       | string             | Identifier of a delivery protocol. **Only** `HTTP` **is allowed for now**.                                                                                                                                                                                                                                                                                                                                                                                                                                                               | Mandatory                    |
-| sink           | string             | The address to which events shall be delivered, using the HTTP protocol, `format: uri` should be used to require a string that is compliant with [RFC 3986](https://datatracker.ietf.org/doc/html/rfc3986).                                                                                                                                                                                                                                                                                                                                                                                                                                                                             | mandatory                    |
+| protocol       | string             | Identifier of a delivery protocol for the event notifications. The values follow the definitions of the [CloudEvent specification](https://github.com/cloudevents/spec/blob/main/subscriptions/spec.md#protocol). **Only** `HTTP` **is allowed for now**.                                                                                                                                                                                                                                                                                | mandatory                    |
+| sink           | string             | The URL, to which event notifications shall be sent - `format: uri` should be used to require a string that is compliant with [RFC 3986](https://datatracker.ietf.org/doc/html/rfc3986). The URI-scheme shall be set according to the definition of the `protocol` value, e.g. the URI-scheme is `https` when `HTTP`is the value of the `protocol` property. The [security considerations](#notifications-security-considerations) should be followed.                                                                                   | mandatory                    |
 | sinkCredential | object             | Sink credential provides authorization information necessary to enable delivery of events to a target. In order to be updated in future this object is polymorphic. See detail below. To protect the notification endpoint providing sinkCredential is RECOMMENDED. <br> The sinkCredential must **not** be present in `POST` and `GET` responses.                                                                                                                                                                                                                                                                    | optional                     |
 | types          | string             | Type of event subscribed. This attribute **must** be present in the `POST` request. It is required by API project to provide an enum for this attribute. `type` must follow the format: `org.camaraproject.<api-name>.<api-version>.<event-name>` with the `api-version` with letter `v` and the major version like  ``org.camaraproject.device-roaming-subscriptions.v1.roaming-status`` - Note: An array of types could be passed **but as of now only one value MUST passed**. Use of multiple value will be open later at API level. | mandatory                    |
 | config         | object             | Implementation-specific configuration parameters needed by the subscription manager for acquiring events. In CAMARA we have predefined attributes like ``subscriptionExpireTime``, ``subscriptionMaxEvents`` or ``initialEvent``. See detail below.                                                                                                                                                                                                                                                                                      | mandatory                    |
@@ -1999,7 +1999,7 @@ To manage correlation between the subscription management and the event notifica
 
 Note: There is no normative enforcement to use any of these patterns, and they could be used on agreement between API consumer & providers.
 
-#### Security Considerations
+#### Notifications Security Considerations
 
 As notifications may carry sensitive information, privacy and security have to be considered.