NOT mandating ‘prompt=none’ in the auth code flow for number verification API

[mingshiatwork]

Problem description

The following line in the number-verification.yaml states that authentication for the Number Verification API must occur automatically without any user interaction, making the prompt=none parameter mandatory for the auth request:
Statement in YAML file:
• - (1): Authentication must be automatic without any user interactions. Authentication methods such as SMS OTP or user/password are incompatible, as the goal is to validate the mobile phone number that is accessing the App. So it is required to be authentication via mobile network and without the user being involved. the use of parameter prompt=none, as described in [OIDC Connect] (https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest), ensures no user interaction.

However, this requirement conflicts with the Identity and Consent Management specifications, which include consent capture as part of both the Authorization Code flow (frontend) and the CIBA flow (backend).

In countries such as Thailand, explicit consent is required before a mobile operator processes a Number Verification API request. As a result, all first-time API auth requests for a subscriber are likely to be rejected if the client includes ‘prompt=none’ in the auth request.
This conflict needs resolution to ensure compliance with both specifications and regulatory requirements.

Expected behavior
The ‘prompt=none’ parameter should not be mandated in the auth code request for the Number Verification API. This flexibility enables the mobile operator to integrate consent capture into the authentication flow. Once consent is obtained, subsequent API requests should proceed without requiring user interaction.

Alternative solution

Additional context

[bigludo7]

Hello @mingshiatwork
Your request make sense.
@AxelNennker as you lead ICM may you provide feedback? could we trigger a PR as suggested by @mingshiatwork?

[mhfoo]

Adding more context: the API technical scope: number-verification:verify
Purpose: dpv:FraudPreventionAndDetection

[AxelNennker]

I see the issue more as an issue of NumberVerfication.

The API consumer can request an auth code without "prompt=none", but IF the MNO determines that consent is not granted and needed e.g. because the end-user opted out, then the MNO SHOULD redirect to end-user authentication and end-user consent collection. The MNO COULD return an error if the MNO decided that consent is needed and not present.

Why does the API Consumer not send the request with "prompt=none"? Wouldn't that solve the problem e.g. if the user opted-out and the legal basis requires consent?
Then the API consumer receives "error=consent_needed" and then the API consumer can start consent collection using OIDC auth code flow using "prompt=consent".

I created two PR in ICM because I want to achieve interoperability of CAMARA openid providers.
camaraproject/IdentityAndConsentManagement#229
camaraproject/IdentityAndConsentManagement#228

NumberVerification mixes two problems into one API:

• device authentication
• number verification

TS.43 created the operator token for "Device App authentication with OperatorToken" which we are currently integrating into CAMARA.

[mingshiatwork]

@bigludo7 We are rolling out the number verification service for enterprise customers and aim to align with the CAMARA specification. However, to ensure compliance with government regulations, it is critical that we do not bypass obtaining the subscriber's consent.
To that end, we seek your input and decision on not mandating the prompt=none parameter in the YAML file. Your prompt action on this matter will be greatly appreciated.
Thank you for your guidance and support.

[AxelNennker]

https://github.com/camaraproject/NumberVerification/blob/main/code/API_definitions/number-verification.yaml does not mandate prompt=none.

the use of parameter prompt=none, as described in OIDC Connect, ensures no user interaction.

But I see your point. OIDC authorization code flow and network-based authentication was discussed in ICM.

Personally, I would recommend to use prompt=none if no user-interaction is allowed.
If the returned error is consent_required then I would start another request with prompt=consent. Although, some operators have not implemented prompt=prompt. So, we would need an agreement of those operators in your market. Which shouldn't be that hard because user-consent is required.

I think that prompt=consent is the standard OIDC way that allows clients to ask for end-user consent.
The prompt parameter is mandatory to implement, but some operators say that "implementing" it can mean that the OP is free to respond to prompt parameters with an error message.

In ICM we stated that

CAMARA does not intend to limit the Authorization Code Flow to just network-based authentication in the future. New workstreams will be initiated to define the necessary changes that will ensure the Authorization Code Flow can be interoperably used with both network-based and non-network-based authentication methods.

I made a proposal that would allow API consumers to request network-based authentication or not. APIs could then make that mandatory.

Please comment on the ICM issues and contribute there. Or create a new issue if you think the current ones don't fit your needs.

[bigludo7]

@AxelNennker @mingshiatwork : I propose to move this issue to the discussion tab to keep it. No action identified.