CN116782228A - Authorization verification methods and devices - Google Patents

Abstract

The embodiment of the present application provides a method for authorization verification. The method includes: the first network element receives a service request message from the second network function NF. The second NF is located in the second terrestrial public mobile communication network PLMN. The service request message The message is used to request the first NF located in the first PLMN to provide the first service to the second NF. The service request message includes an access token, the purpose of the request and the identifier of the second PLMN. The access token includes the PLMN identifier. and interconnection purposes; the first network element performs the authorization of the second NF to use the first service, and before performing the authorization, determines that the identifier of the second PLMN is the same as the PLMN identifier in the access token, and The purpose of the request is the same as the purpose of the interconnection. Based on this solution, the security of access control can be improved, thereby ensuring that service consumers can obtain services legally in Internet scenarios.

Description

Authorization verification methods and devices

Technical field

The embodiments of the present application relate to the field of communication technology, and in particular, to an authorization verification method and device.

Background technique

In the fifth generation (5G) service-oriented system architecture, the two parties communicating based on the service-oriented interface are called service consumers and service producers respectively. Among them, the party requesting services is called a service consumer (also called a service requesting network element), and the party providing services is called a service provider (also called a service providing network element). When a network function (NF) service consumer requests services from an NF service provider, the NF service provider needs to perform authorization checks on the services requested by the NF service consumer.

In the interconnection scenario, the networks of different operators are not directly connected. Security edge protection proxies (SEPP) are used at the network connections with other operators to maintain the security of their own networks. For example, when the NF service consumer of operator A requests services from the NF service provider of operator B, SEPP will verify whether operator A and operator B can communicate, but the security of access control needs to be further improved.

Contents of the invention

The embodiments of this application provide an authorization verification method and device, which can improve the security of access control and ensure that NF service consumers can obtain services legally in Internet scenarios.

In a first aspect, an authorization verification method is provided. The method includes: a first network element receiving a service request message from a second network function (NF), the second NF is located in a second land public mobile communication Network (public land mobile network, PLMN), the service request message is used to request the first NF located in the first PLMN to provide the first service to the second NF. The service request message includes an access token and the purpose of the request. (purpose of request) and the identifier of the second PLMN, the access token includes the PLMN identifier and interconnect purpose; the first network element executes the second NF using the first service Authorization, before performing the authorization, it is determined that the identifier of the second PLMN is the same as the PLMN identifier in the access token, and the purpose of the request is the same as the interconnection purpose.

The second NF may be a service requesting network element, and the first network element may be a first SEPP located in the first PLMN, a second SEPP located in the second PLMN, or a service providing network element. network element.

Based on the above solution, when the NF service consumer requests the first service from the NF service provider, the first network element can request the NF service consumer based on the PLMN identifier and interconnection purpose in the access token carried in the service request message. Perform authorization verification, that is, verify whether the NF service consumer is authorized to use the requested service. Specifically, NF service consumers in the network indicated by the PLMN identifier in the access token can use the services of the NF service provider for interconnection purposes, while NF service consumers in other networks cannot use the NF service provider for interconnection purposes. service, thereby ensuring that NF service consumers can obtain services legally in the Internet scenario.

At the same time, by determining that the purpose of the request in the service request message is the same as the interconnection purpose in the access token, it is ensured that the access token is used in interconnection scenarios, thereby preventing the abuse of the access token.

In addition, the solution provided by this application can perform more fine-grained access control. For example, in some cases, communication can be carried out between two PLMNs, but a certain NF service provider cannot provide NF service consumers in an interconnection scenario. Service, the first SEPP (or second SEPP) can deny the service requested by the NF service consumer. That is to say, according to the traditional solution, since communication can be carried out between two PLMNs, the service request message of the NF service consumer should be forwarded to the NF service provider. However, the solution of this application can also be based on the PLMN in the access token. The identifier and interconnection purpose perform authorization verification on the NF service consumer. If the verification fails, the service request message can be refused to be forwarded or the service request of the NF service consumer can be directly rejected.

The specific expression of the authorization of the first network element to perform the second NF to use the first service may be: when the first network element is the second NF, in the case of authorizing the second NF to use the first service, The second NF provides the first service to the first NF; or, when the first network element is the first SEPP located in the first PLMN or the second SEPP located in the second PLMN, the first network element forwards the Service request message.

The service request message is associated with the second NF. For example, in one possible scenario, the first network element can directly receive the service request message from the second NF; in another possible scenario, the first network element can receive the service request message from the second SEPP element. , wherein the second SEPP may directly receive the service request message from the second NF; in yet another possible scenario, the first network element may receive the service request message from the first SEPP, where the first SEPP The service request message may be received from the second SEPP, and the second SEPP may directly receive the service request message from the second NF.

It should be understood that the information in the access token has been authorized, and the first network element can verify the service request message based on the information in the access token, perform authorization for the second NF to use the first service, or deny use of the second NF. First service.

It should be understood that the access token is subject to security protection, such as integrity protection, thereby preventing malicious NF service consumers from tampering with the information in the access token.

It should be understood that all information included in the access token can be verified. When all information in the access token is verified successfully, the service requesting network element can be authorized to use the service to provide the first service of the network element.

Combined with the first aspect, in a possible implementation, the service request message further includes information of the second NF, and the access token further includes information of the NF; before the execution authorization, further includes: The first network element determines that the information of the second NF is the same as the information of the NF.

The NF information in the access token can indicate the information of the service requesting network element (NF service consumer) to which the access token is applicable in the interconnection scenario, for example, NF type, NF instance ID, etc. The service requesting network element to which the access token is applicable may specifically mean that the applicable service requesting network element may use the access token to obtain services, or that no network element within the scope of the applicable service requesting network element may use the access token. Access token to obtain services.

Based on the above technical solution, during the process when the second NF requests the first service from the first NF, the first network element can perform the request based on the PLMN identifier, interconnection purpose and NF information in the access token carried in the service request message. The second NF uses the first service for authorization to ensure that the second NF requests the network element for the service applicable to the access token in the interconnection scenario, thereby preventing the abuse of the access token and ensuring that the NF service consumer is legal in the interconnection scenario. to obtain services.

In conjunction with the first aspect, in a possible implementation, the service request message further includes information about the first service, and the access token includes information about the service; before the execution authorization, further includes: The first network element determines that the information of the first service is the same as the information of the service.

The service information in the access token can indicate the applicable service of the access token in the Internet scenario. It can be understood that when the service request message requests the applicable service, the access token can be used to obtain the service. Alternatively, when the service requested by the service request message does not belong to the applicable service, the access token may not be used to obtain the service.

Based on the above technical solution, when the second NF requests the first service from the first NF, the first network element can use the PLMN identifier, interconnection purpose, NF information and services in the access token carried in the service request message. Information, the second NF uses the first service for authorization verification, further ensuring that the service requested by the second NF is a service applicable in the interconnection scenario, and thus ensuring that the NF service consumer can obtain the service legally in the interconnection scenario.

In conjunction with the first aspect, in a possible implementation manner, the first network element refuses the second NF to use the first service, and before the refusal, determines that the identifier of the second PLMN is the same as the identifier of the second PLMN. The PLMN identifier in the access token is different, and/or the purpose of the request is different from the interconnection purpose.

Based on the above technical solution, when the second NF requests the first service from the first NF, the first network element can refuse the use of the second NF based on the PLMN identifier and interconnection purpose in the access token carried in the service request message. First service, thus preventing malicious NF service consumers from illegally obtaining services in Internet scenarios.

With reference to the first aspect, in a possible implementation, the service request message further includes information of the second NF, and the access token further includes information of the NF; the method further includes: the first network element denying the second NF the use of the first service, prior to the denial, determining that the identifier of the second PLMN is not the same as the PLMN identifier in the access token, and/or the purpose of the request The purpose of the interconnection is different, and/or the information of the second NF is different from the information of the NF.

Based on the above technical solution, during the process when the second NF requests the first service from the first NF, the first network element can perform the request based on the PLMN identifier, interconnection purpose and NF information in the access token carried in the service request message. The second NF uses the first service for authorization verification, thereby preventing malicious NF service consumers from illegally obtaining services in the Internet scenario.

In conjunction with the first aspect, in a possible implementation, the service request message further includes information about the second NF and information about the first service, and the access token further includes information about the NF and information about the service; The method further includes: the first network element rejects the second NF to use the first service, and before the rejection, determines the identifier of the second PLMN and the PLMN identifier in the access token. The identifiers are different, and/or the purpose of the request is different from the interconnection purpose, and/or the information of the second NF is different from the information of the NF, and/or the information of the first service is different from the information of the first service. The information for the services described is not the same.

Based on the above technical solution, when the second NF requests the first service from the first NF, the first network element can use the PLMN identifier, interconnection purpose, NF information and services in the access token carried in the service request message. information to authorize the second NF to use the first service, thereby preventing malicious NF service consumers from illegally obtaining services in the Internet scenario.

With reference to the first aspect, in a possible implementation manner, the first network element is: the first NF, the SEPP of the first PLMN, or the SEPP of the second PLMN.

In a second aspect, a method of sending an access token is provided. The method includes: a first network storage function (NF repository function, NRF) located in a first PLMN receiving a registration request from a first NF located in the first PLMN. , the registration request includes a list of PLMNs that are allowed to be accessed for interconnection purposes, and the PLMN list includes the second PLMN; the first NRF completes the registration of the first NF; the first NRF receives the The first request message, the second NF is located in the second PLMN, the first request message is used to request an access token, the access token is used to access the first NF located in the first PLMN. A service, the first request message includes the identifier of the second PLMN and the interconnection purpose; in response to the first request message, the first NRF generates the access token, the access token including the identifier of the second PLMN and the interconnection purpose; the first NRF sends the access token to the second NF.

The first NF may be an NF service provider and the second NF may be an NF service consumer. Before the first NF provides services to the second NF, during the registration process with the first NRF, for the interconnection scenario, it carries the identifier of the PLMN that is allowed to access. The second NF may request an access token from the first NRF. If the identifier of the PLMN where the second NF is located belongs to the identifier of the PLMN that is allowed to access, the first NRF generates a token carrying the identifier of the second PLMN and the purpose of the interconnection. Access token and sent to second NF.

Based on the above technical solution, when the second NF requests an access token from the first NRF, the second NF can be authorized based on the identifier of the PLMN that is allowed to be accessed for the purpose of interconnection carried by the first NF in the registration request. Specifically, when it is determined that the identifier of the second PLMN belongs to the identifier of the PLMN that is allowed to be accessed under the interconnection purpose, the first NRF may send an access token to the second NF, and the access token may be used in the interconnection scenario. Next, access the service of the first NF, thereby ensuring that NF service consumers can obtain services legally in the Internet scenario.

Combined with the second aspect, in a possible implementation, the registration request further includes: information about the NF that is allowed to access the first NF for the purpose of interconnection; the first request message further includes: the third Information of two NFs; in response to the first request message, the first NRF generates the access token, including: the first NRF determines the information of the NF that is allowed to access the first NF under the interconnection purpose. including the information of the second NF; the first NRF generates the access token, and the access token also includes the information of the second NF; or the registration request further includes: for the purpose of interconnection The information of the NF that is allowed to access the first NF, and the information of the services that are allowed to be accessed under the interconnection purpose; the first request message further includes: the information of the second NF and the information of the first service ; In response to the first request message, the first NRF generates the access token, including: the first NRF determines that the information of the NF that is allowed to access the first NF under the interconnection purpose includes the first The information of the two NFs and the information of the services allowed to be accessed under the interconnection purpose include the information of the first service; the first NRF generates the access token, and the access token also includes the second NF information and the first service information.

Based on the above technical solution, when the second NF requests an access token from the first NRF, the identifier of the PLMN allowed to be accessed under the interconnection purpose carried by the first NF in the registration request and the identifier of the NF allowed to access the first NF can be used. The information authorizes the second NF. Specifically, when it is determined that the identifier of the second PLMN belongs to the identifier of the PLMN that is allowed to be accessed under the interconnection purpose and the information of the second NF is the same as the information that is allowed to access the first NF, the first NRF may send a request to the second PLMN. The NF sends an access token, which can be used to access the service of the first NF in the interconnection scenario, thereby ensuring that the NF service consumer can obtain services legally in the interconnection scenario.

Alternatively, the second NF may be authorized based on the identifier of the PLMN that is allowed to be accessed for interconnection purposes carried by the first NF in the registration request, the information of the NF that is allowed to access the first NF, and the information of the service that is allowed to be accessed. Specifically, after it is determined that the identifier of the second PLMN belongs to the identifier of the PLMN that is allowed to be accessed under the interconnection purpose, the information of the second NF is the same as the information of the first NF that is allowed to be accessed, and the first service is the same as the information that is allowed to be accessed. When the service information is the same, the first NRF can send an access token to the second NF. This access token can be used to access the service of the first NF in the interconnection scenario, thus ensuring that the NF service consumer is in the interconnection scenario. Obtain services legally.

In a third aspect, a service authorization method is provided. The method includes: the security edge protection proxy SEPP receives a service request message from the second NF, the second NF is located in the second PLMN, and the service request message is used to request that the service authorization message is located in the second PLMN. The first NF of the first PLMN provides the first service to the second NF; the SEPP performs the authorization of the second NF to use the first service according to configured parameters, and the configured parameters include permission for interconnection purposes. To access the information of the NF of the first NF, before the execution authorization, it is determined that the information of the NF that is allowed to access the first NF under the interconnection purpose includes the information of the second NF.

It should be understood that the SEPP may be a first SEPP located in the first PLMN or a second SEPP located in the second PLMN. For example, the first SEPP or the second SEPP in the embodiment shown in FIG. 6 .

Based on the above solution, the NF service consumer can send a service request message to the service provider, and SEPP configures the parameter list and performs service authorization on the service request message. In this way, modifying SEPP configuration parameters can support service authorization in interconnection scenarios and support more fine-grained service access control. Before authorizing the second NF to use the first service, SEPP needs to determine that the information of the second NF belongs to the information of the NF that is allowed to access the first NF under the interconnection purpose, thereby preventing malicious NF service consumers from not using the first service in the interconnection scenario. Obtain services legally.

Optionally, the configured parameters may be pre-configured.

Combined with the third aspect, in a possible implementation, the SEPP is located in the first PLMN, and the configured parameters also include a list of PLMNs that are allowed to access the first PLMN for interconnection purposes. When the execution Before authorization, it also includes: determining that the list of PLMNs allowed to access the first PLMN under the interconnection purpose includes the second PLMN; or, the SEPP is located in the second PLMN, and the configured parameters also include interconnection The list of PLMNs allowed to be accessed by the second PLMN under the purpose, before performing the authorization, further includes: determining that the list of PLMNs allowed to be accessed by the second PLMN under the purpose of interconnection includes the first PLMN.

Combined with the third aspect, in a possible implementation manner, the configured parameters also include information about services that are allowed to be accessed for the interconnection purpose. Before the authorization is performed, the method further includes: determining the interconnection purpose. The information of the service allowed to be accessed includes the information of the first service carried in the service request message.

Combined with the third aspect, in a possible implementation, the method further includes: the SEPP rejects the second NF to use the first service, and before the rejection, according to the configuration The parameter determines that the information of the NF allowed to access the first NF under the interconnection purpose does not include the information of the second NF.

Combined with the third aspect, in a possible implementation, the security edge protection proxy network element is located in the first PLMN, and the configured parameters further include a list of PLMNs that are allowed to access the first PLMN for interconnection purposes. , the method further includes: the security edge protection agent network element rejects the second network function to use the first service, and before the rejection, determines the PLMN that is allowed to access the first PLMN under the interconnection purpose The list does not include the second PLMN; or, the SEPP is located in the second PLMN, and the configured parameters also include a list of PLMNs that are allowed to be accessed by the second PLMN for interconnection purposes, and the security edge protection agent The network element refuses the second network function to use the first service. Before the refusal, the network element further includes: determining that the list of PLMNs allowed to be accessed by the second PLMN under the interconnection purpose does not include the first PLMN.

Combined with the third aspect, in a possible implementation manner, it is characterized in that the configured parameters also include information about services that are allowed to be accessed for the purpose of interconnection, and the method further includes: the SEPP rejects the The second NF uses the first service, and before the rejection, determines that the information of the service allowed to be accessed does not include the information of the first service.

In a fourth aspect, an authorization verification device is provided. The device includes: a transceiver unit configured to receive a service request message from a second NF located in a second PLMN. The service request message is used to request The first NF located in the first PLMN provides the first service to the second NF. The service request message includes an access token, the purpose of the request and the identifier of the second PLMN. The access token includes the PLMN identification. and interconnection purposes; a processing unit configured to perform authorization for the second NF to use the first service, and before performing the authorization, determine the identifier of the second PLMN and the PLMN in the access token The identifier is the same, and the purpose of the request is the same as the purpose of the interconnection.

In a fifth aspect, a device for sending a token is provided. The device includes: a transceiver unit configured to receive a registration request from a first NF located in the first PLMN, where the registration request includes a PLMN that is allowed to be accessed for interconnection purposes. list, the PLMN list includes a second PLMN; complete registration of the first NF; receive a first request message from the second NF, the second NF is located in the second PLMN, the first request message Used to request an access token, the access token is used to access the first service of the first NF located in the first PLMN, the first request message includes the identifier of the second PLMN and the interconnection purpose ; A processing unit, configured to generate the access token in response to the first request message, the access token including the identifier of the second PLMN and the interconnection purpose; the transceiver unit is also used to: Send the access token to the second NF.

In a sixth aspect, a device for service authorization is provided. The device includes: a transceiver unit configured to receive a service request message from a second NF, the second NF is located in the second PLMN, and the service request message is used to request The first NF located in the first PLMN provides the first service to the second NF; the processing unit is used to perform the authorization of the second NF to use the first service, and the configured parameters include allowing access to the first service for interconnection purposes. The information of the NF of the first NF. Before the execution authorization, it is determined based on the configured parameters that the information of the NF that is allowed to access the first NF for the interconnection purpose includes the information of the second NF.

It should be understood that the specific implementation manners and beneficial effects corresponding to the above-mentioned several devices have been described in detail in the above-mentioned method embodiments. For details, reference can be made to the above-mentioned method embodiments. For the sake of brevity, they will not be described again here.

In a seventh aspect, an authorization verification method is provided. The method includes: the first network element receives a service request message from a second NF located in the second PLMN, and the service request message is used to request that the service request message is located in the second PLMN. The first NF of the first PLMN provides the first service to the second NF, the service request message includes an access token, the purpose of the request and the identifier of the second PLMN, the access token includes the PLMN identifier and interconnection purposes;

Based on the above solution, when the NF service consumer requests services from the NF service provider, the first network element can authorize the NF service consumer based on the PLMN identifier and interconnection purpose in the access token carried in the service request message. Verification, that is, verifying whether the NF service consumer is authorized to use the requested service. Specifically, NF service consumers in the network indicated by the PLMN identifier in the access token can use the services of the NF service provider for interconnection purposes, while NF service consumers in other networks cannot use the NF service provider for interconnection purposes. service.

At the same time, by determining that the purpose of the request in the service request message is the same as the interconnection purpose in the access token, it is ensured that the access token is used in interconnection scenarios, thereby preventing the abuse of the access token.

In addition, the solution provided by this application can perform more fine-grained access control. For example, in some cases, communication can be carried out between two PLMNs, but a certain NF service provider cannot provide NF service consumers in an interconnection scenario. Service, the first SEPP (or second SEPP) can deny the service requested by the NF service consumer. That is to say, according to the traditional solution, since communication can be carried out between two PLMNs, the service request message of the NF service consumer should be forwarded to the NF service provider. However, the solution of this application can also be based on the PLMN in the access token. The identifier and interconnection purpose perform authorization verification on the NF service consumer. If the verification fails, the service request message can be refused to be forwarded or the service request of the NF service consumer can be directly rejected.

In the case that the identifier of the second PLMN is different from the PLMN identifier, or in the case that the purpose of the request is different from the interconnection purpose, the first network element rejects the second NF uses the first service.

Combined with the seventh aspect, in a possible implementation, the service request message further includes information of the second NF, the access token further includes information of the NF, and the information of the NF indicates that the access token is suitable for The service requesting network element, the method further includes: when the information of the second NF is different from the information of the NF, the first network element refuses the second NF to use the first service .

Based on the above technical solution, during the process when the second NF requests the first service from the first NF, the first network element can perform the request based on the PLMN identifier, interconnection purpose and NF information in the access token carried in the service request message. The second NF uses the first service for authorization to ensure that the second NF requests network elements for services applicable in the Internet scenario, thereby preventing the abuse of access tokens and preventing malicious service consumers from illegally obtaining them in the Internet scenario. Serve.

Combined with the seventh aspect, in one possible implementation manner, the service request message further includes information about the first service, the access token further includes information about the service, and the information about the service indicates that the access token is suitable for service, the method further includes: when the information of the first service is different from the information of the service, the first network element refuses the second NF to use the first service.

Based on the above technical solution, when the second NF requests the first service from the first NF, the first network element can use the PLMN identifier, interconnection purpose, NF information and services in the access token carried in the service request message. information, perform authorization verification on the second NF using the first service, and ensure that the service requested by the second NF is a service applicable in the Internet scenario, thereby preventing the abuse of access tokens and preventing malicious service consumers from using the Internet scenario. obtain services illegally.

In an eighth aspect, a computer-readable storage medium is provided. The computer-readable storage medium stores a computer program. When the computer program is run on a computer, it causes the computer to perform the method described in any one of the first aspects. , or causing the computer to execute the method described in the second aspect, or causing the computer to execute the method described in any one of the third aspects.

In a ninth aspect, a computer program product is provided. The computer program product includes computer program instructions. When the computer program instructions are run on a computer, they cause the computer to perform the method described in any one of the first aspects, or cause the computer to The method described in any one of the second aspects is performed, or the computer is caused to perform the method described in any one of the third aspects.

In a tenth aspect, a communication device is provided. The device includes at least one processor, the at least one processor is configured to execute a computer program or instructions stored in a memory to perform the method according to any one of the first aspects. , or to perform the method described in any one of the second aspects, or to perform the method described in any one of the third aspects.

An eleventh aspect provides a communication system, including at least two of the authorization verification device shown in the fourth aspect, the token sending device shown in the fifth aspect, and the service authorization device shown in the sixth aspect. device.

Description of drawings

Figure 1 is a schematic diagram of a network structure suitable for embodiments of the present application.

Figure 2 shows a schematic diagram of a communication mode in an interconnection scenario.

Figure 3 shows an exemplary flow chart of an authorization verification method provided by an embodiment of the present application.

Figure 4 shows an exemplary flowchart of a method for sending an access token provided by an embodiment of the present application.

Figure 5 shows an exemplary flow chart of a registration method provided by an embodiment of the present application.

Figure 6 shows an exemplary flowchart of a method for sending an access token provided by an embodiment of the present application.

Figure 7 shows an exemplary flow chart of an authorization verification method provided by an embodiment of the present application.

Figure 8 shows an exemplary flow chart of a service authorization method provided by an embodiment of the present application.

Figure 9 is a schematic block diagram of an authorization verification device provided by an embodiment of the present application.

Figure 10 is a schematic structural diagram of an authorization verification device provided by an embodiment of the present application.

Detailed ways

The technical solutions in the embodiments of the present application will be described below with reference to the accompanying drawings.

The technical solutions of the embodiments of the present application can be applied to various communication systems, such as: long term evolution (long termevolution, LTE) system, LTE frequency division duplex (FDD) system, LTE time division duplex (time division duplex, TDD) system, universal mobile telecommunication system (UMTS), global interoperability for microwave access (WiMAX) communication system, 5G system or new radio (NR), sixth generation (6thgeneration, 6G) system or future communication system, etc. The 5G mobile communication system described in this application includes a non-standalone (NSA) 5G mobile communication system or a standalone (SA) 5G mobile communication system. The communication system can also be a public land mobile network (PLMN) network, a device-to-device (D2D) communication system, a machine to machine (M2M) communication system, or the Internet of Things (Internet of Things, IoT) communication system or other communication system.

In order to facilitate understanding of the embodiment of the present application, the network architecture applicable to the embodiment of the present application is first described in detail with reference to FIG. 1 .

Figure 1 is a schematic diagram of a network structure suitable for the method provided by the embodiment of the present application. As shown in Figure 1, the network architecture is, for example, the 5G system (the 5h generation system, 5GS) defined by the 3rd generation partnership project (3GPP). The network architecture is a service-oriented system architecture. The network elements in the dotted box in Figure 1 are network elements that communicate based on service-oriented interfaces, that is, the communication between network elements uses service-oriented interfaces. The network architecture may include an access network (AN) and a core network (CN), and may also include user equipment (UE).

Among them, the core network is responsible for maintaining the subscription data of the mobile network and providing functions such as session management, mobility management, policy management, and security authentication for UEs. The core network may include the following network elements: user plane function (UPF), authentication server function (AUSF), access and mobility management function (AMF), session management function ( session management function (SMF), network slice selection function (NSSF), network exposure function (NEF), network function storage function (NFrepository function (NRF)), policy control function (PCF) ), unified data management (UDM) and application function (AF).

The following is a brief introduction to each network element shown in Figure 1:

1. User equipment (UE): It can also be called a terminal device. The terminal device can be a device that provides voice/data connectivity to users, such as a handheld device with wireless connection function, a vehicle-mounted device, etc.

It should be understood that the terminal device can be any device that can access the network. Terminal equipment and access network equipment can communicate with each other using some air interface technology.

2. Access network (AN): The access network can provide network access functions for authorized users in a specific area, including radio access network (RAN) equipment and AN equipment. RAN equipment is mainly 3GPP network wireless network equipment, and AN equipment can be access network equipment defined by non-3GPP.

The access network can provide services to the community. The terminal device can communicate with the cell through transmission resources (for example, frequency domain resources, or spectrum resources) allocated by the access network device.

3. AMF network element: mainly used for mobility management and access management, such as user location update, user registration network, user switching, etc. AMF can also be used to implement other functions in the mobility management entity (mobility management entity, MME) besides session management. For example, functions such as lawful interception or access authorization (or authentication).

4. SMF network element: Mainly used for session management, UE Internet Protocol (IP) address allocation and management, selection of endpoints for manageable user plane functions, policy control, or charging function interfaces, and downlink data notification. In the embodiment of this application, the main user of SMF is responsible for session management in the mobile network, such as session establishment, modification, release, etc. Specific functions may include, for example, allocating IP addresses to terminal devices, selecting UPFs that provide packet forwarding functions, etc.

5. UPF network element: Responsible for forwarding and receiving user data in terminal equipment. The UPF network element can receive user data from the data network (DN) and transmit it to the terminal device through the access network device. UPF network elements can also receive user data from terminal equipment through access network equipment and forward it to the data network. The transmission resources and scheduling functions in the UPF network element that provide services for terminal equipment are managed and controlled by the SMF network element.

6. Data network (DN): A service network used to provide data services to users. It can be a private network, such as a local area network; it can also be an external network that is not controlled by the operator, such as the Internet; it can also be an operator Co-deployed proprietary networks, such as those providing IP multimedia subsystem (IMS). The UE can access the DN through the established protocol data unit (PDU) session.

7. Authentication server function (AUSF): mainly used for user security authentication, etc.

8. Network exposure function (NEF) network element: mainly used to support the opening of capabilities and events, such as for safely opening services and capabilities provided by 3GPP network functions to the outside.

9. Network repository function (NRF): Mainly provides service registration, discovery and authorization, and maintains available network function (NF) instance information, which can realize on-demand configuration of network functions and services and NF interconnections between. Among them, service registration means that the NF network element needs to register with the NRF network element before providing services. Service discovery means that when an NF network element needs other NF network elements to provide services for it, it must first perform service discovery through the NRF network element to discover the desired NF network element that provides services to it. For example, when NF network element 1 needs NF network element 2 to provide services for it, it must first perform service discovery through the NRF network element to discover NF network element 2.

10. PCF network element: A unified policy framework used to guide network behavior, providing policy rule information for control plane functional network elements (such as AMF, SMF network elements, etc.), and responsible for obtaining user subscription information related to policy decisions.

11. UDM network element: used to generate authentication credentials, user identification processing (such as storing and managing user permanent identities, etc.), access authorization control and contract data management, etc.

12. Application function (AF) network element: mainly supports interaction with the 3GPP core network to provide services, such as affecting data routing decisions, interacting with the policy control function (PCF), or providing third parties to the network side, etc.

13. Service communication proxy (SCP): used to complete the routing and forwarding of service-oriented interface signaling. Operators can deploy SCP as needed. SCP network elements can provide routing and forwarding services for the sender of serviced interface signaling. The sender of serviced interface signaling can be, for example, a certain NF network element. The information of the corresponding SCP network element can be configured on the NF network element, and the SCP network element can provide message forwarding services for the NF network element. When the NF network element needs to use the SCP network element for communication, the NF network element can send a message to the configured SCP network element.

14. Security edge protection proxy (SEPP) is an important part of the 5G roaming security architecture. It is used to realize user roaming and communication with other operators. It is responsible for the control plane interface between operators. Message filtering and policy management, mainly serving as the border gateway between the operator's core network control plane.

It should be understood that the above-mentioned network architecture applied to the embodiments of the present application is only an example of a network architecture described from the perspective of a service-oriented architecture. The network architecture applicable to the embodiments of the present application is not limited to this. Any network element that can implement the above-mentioned network elements The functional network architecture is applicable to the embodiment of this application.

It should also be understood that the AMF, SMF, UPF, network slice selection function (NSSF), NEF, AUSF, NRF, PCF, and UDM shown in Figure 1 can be understood as being used in the core network to implement different functions. Network elements can, for example, be combined into network slices on demand. These core network elements can be independent devices, or can be integrated into the same device to implement different functions. This application does not limit the specific forms of the above network elements.

It should also be understood that the above nomenclature is only defined to facilitate the differentiation of different functions and should not constitute any limitation on this application. This application does not rule out the possibility of using other naming in 5G networks and other future networks. For example, in a 6G network, some or all of the above network elements may use the terminology used in 5G, or may adopt other names. The interface names between each network element in Figure 1 are just an example. In specific implementations, the names of the interfaces may be other names, and this application does not specifically limit this. In addition, the names of the messages (or signaling) transmitted between the various network elements are only examples and do not constitute any limitation on the function of the messages themselves.

In order to facilitate understanding of the solutions provided by the embodiments of this application, first a brief description of the communication mode between service-oriented network elements is provided.

In the 5G service-oriented system architecture, the two parties communicating based on the service-oriented interface are called service consumers and service producers respectively. The party requesting services is serviceconsumer, and the party providing services is called service producer. A service consumer may also be called a consumer, a consuming network element, a user, a requester or a requester, or a service consuming network element, etc. A service provider may also be called a providing network element, a service providing network element, a provider, a producer or a responder, etc., which is not limited in this application.

In order to facilitate understanding of the solutions provided by the embodiments of this application, first a brief explanation of the communication mode between service-oriented network elements in the interconnection scenario is provided.

Figure 2 shows a schematic diagram of a communication mode in an interconnection scenario. In the communication mode shown in Figure 2, the first SEPP and NF service provider are in the first PLMN, and the second SEPP and NF service consumer are in the second PLMN. When the NF service consumer sends a service request message to the NF service provider, it needs to be forwarded through the first SEPP and the second SEPP. The first SEPP or the second SEPP can verify whether communication between the first PLMN and the second PLMN is possible, thereby determining whether the service request message can pass.

In the embodiment of this application, the interconnection scenario refers to that the service consumer and the service provider access each other in their respective networks, but the service consumer needs to access the services provided by the service provider.

For example, text messages are sent between UE1 of China Mobile and UE2 of China Telecom, and both UE1 and UE2 are connected to their respective networks. In this case, China Mobile's core network needs to interact with China Telecom's core network to forward text messages. For example, China Mobile's short message service gateway mobile switching center (SMS-GMSC) accesses China Telecom's UDM, at this time we call the service access between China Mobile's SMS-GMSC and China Telecom's UDM an interconnection access, and this scenario is an interconnection scenario.

In this communication mode, although SEPP can verify whether communication can be carried out between two PLMNs, it cannot verify whether the NF service consumer can use the services provided by the NF service provider. For example, in some cases, a certain NF service provider is set so that it cannot provide services to service consumers in the Internet scenario, but can still receive service request messages sent in other networks. At this time, the service provider may exist Risk of illegal access.

Figure 3 is a schematic flow chart of the authorization verification method 300 provided by the embodiment of the present application. Method 300 includes:

S301. The first network element receives a service request message from the second network function NF.

The service request message is used to request the first NF to provide the first service to the second NF. The service request message includes an access token, the purpose of the request and the identifier of the second PLMN. The access token includes the PLMN identifier and the interconnection purpose. . Wherein, the first NF is located in the first PLMN, and the second NF is located in the second PLMN.

The second NF may be a service requesting network element (service consumer), and the first network element may be a first security edge protection proxy network element (first SEPP) located in the first PLMN, or it may be a first network element located in the first PLMN. The second security edge protection proxy network element (second SEPP) of the second PLMN may also be a service providing network element (service provider).

The service request message is associated with the second NF. For example, in one possible scenario, the first network element may directly receive the service request message from the second NF; in another possible scenario, the first network element may receive the service request message from the second security edge protection proxy network element. The service request message, wherein the second security edge protection agent network element may directly receive the service request message from the second NF; in another possible scenario, the first network element may receive the service request message from the first security edge protection agent The network element receives the service request message, wherein the first security edge protection agent network element may receive the service request message from a second security edge protection agent network element, and the second security edge protection agent network element may be from The second NF directly receives the service request message.

Optionally, the first network element may receive the service request message from the service communication agent network element, wherein the service communication agent network element may receive the service request message directly from the second network element, or may receive the service request message through other network elements. One or more service communication proxy network elements receive the service request message from the second NF. That is to say, the first network element can communicate with the second NF through one or more service communication network elements.

S302: The first network element performs authorization for the second NF to use the first service.

It should be understood that before the second NF requests to use the service of the first NF, the access token can be requested from the network element corresponding to the first NF that distributes the access token (for example, the first NRF, located in the first PLMN), so as to facilitate the use of portability. The access token service request message requests the service of the first NF.

It should be understood that the access token in the service request message is protected by security, so malicious NF cannot tamper with the information in the access token. It may be that the network element that distributes the access token provides security protection for the access token. For example, the first NRF uses the shared key to generate integrity protection parameters (such as message authentication code MAC) for the access token (or parameters within the access token), and the second NF carries the integrity protection in the service request message. parameter. The first network element can verify whether the information in the access token has been tampered with based on the integrity protection parameter. For another example, the first NRF uses the private key to sign the information in the security token, and during the authorization verification process, it verifies the signature to determine whether the information in the access token has been tampered with.

It should also be understood that the information in the access token has been authorized, and the first network element can verify the service request message based on the information in the access token, perform authorization of the second NF to use the first service or reject the second NF. Use the first service.

The specific expression of the first network element's authorization to perform the second NF's use of the first service may be: in the case of authorizing the second NF to use the first service, the second NF provides the first NF with The first service; or, when authorizing the second NF to use the first service, the first security edge protection proxy network element forwards the service request message; or, when authorizing the second NF to use the first service, In the case of a service, the second security edge protection agent network element forwards the service request message.

In this embodiment of the present application, the access token includes the PLMN identifier and the interconnection purpose, and the service request message includes the requested purpose and the identifier of the second PLMN. Before authorizing the second NF to use the first service, it is determined that the identifier of the second PLMN is the same as the PLMN identifier in the access token, and that the purpose of the request is the same as the interconnection purpose.

That is to say, the first network element can determine that the access token is used in an interconnection scenario, and determine that the service request message originates from the network indicated by the PLMN identifier in the access token.

It should be understood that the above verification is a necessary condition for authorizing the second NF to use the first service. That is to say, in addition to the above verification, other verifications may be required. When all verifications pass, the second NF is authorized to use the first service.

It should be understood that all information included in the access token should be verified. When all information in the access token passes verification, the authorization service requests the network element to use the service to provide the first service of the network element.

Optionally, the access token may also include information about the NF of the service providing network element. That is to say, the access token can be used to request the service to provide network element services. In this way, the service providing network element can specify which service requesting network elements in the network can use its own service.

In some embodiments, the access token further includes the information of the NF, and the service request message further includes the information of the second NF. At this time, before authorizing the second NF to use the first service, it is also necessary to determine the information and access of the second NF. The information of NF in the token is the same.

The NF information in the access token indicates the information of the service requesting network element (service consumer) to which the access token is applicable, for example, NF type, NF instance ID, etc.

It can be understood that the service requesting network element to which the access token is applicable may specifically mean that the applicable service requesting network element can use the access token to obtain services, or that network elements that are not within the scope of the applicable service requesting network element cannot Use the access token to obtain the service.

In some embodiments, the access token further includes service information, and the service request message further includes information about the first service. At this time, before authorizing the second NF to use the first service, it is also necessary to determine the third service requested by the service request message. The information for a service is the same as the information for the service in the access token.

That is, the service request message may request a service indicated by the service information in the access token.

The specific form of the second network element's refusal of the second NF to use the first service may be: in the case of refusing the second NF to use the first service, the first network element refuses the service request message to refuse the second NF The first service requested. Exemplarily, the first network element sends a service response message to the second NF. The service response message is used to indicate a refusal to provide the first service. Optionally, the service response message also includes a reason for the refusal, for example, The reason for rejection can be that the access token verification failed.

In some embodiments, the access token includes the PLMN identifier and the interconnection purpose, and the service request message includes the requested purpose and the identifier of the second PLMN. The first network element refuses the second NF to use the first service, and before denying the second NF to use the first service, determines that the identifier of the second PLMN is not the same as the PLMN identifier in the access token, and/or determines that the requested The purpose is not the same as the interconnection purpose.

In some embodiments, the access token further includes the information of the NF, the service request message further includes the information of the second NF, the first network element refuses the second NF to use the first service, and before denying the second NF to use the first service, Determine that the information of the second NF is not the same as the information of the NF in the access token.

In some embodiments, the access token further includes service information, the service request message further includes information of the first service, the first network element refuses the second NF to use the first service, and before denying the second NF to use the first service, It is determined that the information of the first service requested by the service request message is the same as the information of the service in the access token.

It should be understood that if any information in the service request message is different from the information in the access token (for example, the information about the first service is different from the information about the service in the access token), the first network element refuses to use the second NF. First service.

A method 400 for sending an access token is introduced below. As shown in Figure 4, the method 400 includes:

S410: The first NF sends a registration request to the first NRF. Correspondingly, the first NRF receives the registration request from the first NF.

It should be noted that the first NF and the first NRF are located in the first PLMN, and the second NF is located in the second PLMN.

Specifically, the registration request includes a list of PLMNs that are allowed to be accessed for interconnection purposes, and the list of PLMNs that are allowed to be accessed includes the second PLMN.

That is to say, when the first NF registers with the first NRF, the network where the NF accesses the first NF for interconnection purposes is located may be restricted. For example, the list of PLMNs allowed to be accessed for the interconnection purpose includes the second PLMN, which means that the NF in the second PLMN can access the first NF for the interconnection purpose.

In some embodiments, the registration request further includes information on network functions that allow access to the first network function for interconnection purposes.

That is, when the first NF registers with the first NRF, restrictions may be imposed on the NFs that access the first NF for interconnection purposes.

In some embodiments, the registration request further includes information about network functions that are allowed to access the first network function for interconnection purposes, and information about services that are allowed to be accessed for interconnection purposes.

That is to say, when the first NF registers with the first NRF, restrictions can be placed on the NFs and accessed services that access the first NF for interconnection purposes.

S420, the first NRF completes the registration of the first NF.

Specifically, after receiving the registration request from the first NF, the first NRF stores the list of PLMNs that are allowed to be accessed for the purpose of interconnection in the registration request.

In some embodiments, the first NRF stores information in the registration request about network functions that allow access to the first network function for interconnection purposes.

In some embodiments, the first NRF stores information about network functions that are allowed to access the first network function for interconnection purposes in the registration request, and information about services that are allowed to be accessed for interconnection purposes.

It should be understood that after the first NRF completes the registration of the first NF, the first NRF can rely on the stored list of PLMNs that are allowed to be accessed for the purpose of interconnection, and/or the information of the network functions that are allowed to access the first network function for the purpose of interconnection. , and/or information about services that are allowed to be accessed for interconnection purposes, to authorize the service requesting network element.

Optionally, the first NRF sends a registration completion message to the first NF.

Optionally, the first NRF sends a registration failure message to the first NF.

S430. The second NF sends the first request message to the first NRF.

The first request message is used to request an access token. The access token is used to access the first service of the first NF. The first request message includes an identifier of the second PLMN and an interconnection purpose.

It should be understood that when the second NF sends the first request message to the first NRF to request an access token, it needs to carry the identifier of the network where the second NF is located and the interconnection purpose, indicating that it will request the first NF under the interconnection purpose. Serve.

In some embodiments, the first request message further includes information of the second NF.

It should be understood that when the second NF sends the first request message to the first NRF to request an access token, it also needs to carry the information of the second NF, indicating that the second NF will request the service of the first NF for the purpose of interconnection.

In some embodiments, the first request message further includes information of the second NF and information of the first service.

It should be understood that when the second NF sends the first request message to the first NRF to request an access token, it also needs to carry the information of the second NF and the information of the first service, indicating that the second NF will request the third NRF for interconnection purposes. A NF's first service.

S440, in response to the first request message, the first NRF generates an access token.

The access token includes the identifier of the second PLMN and the purpose of the interconnection.

It should be understood that if the first NRF determines that access to the service of the first NF for interconnection purposes can be authorized, the identifier of the second PLMN and the interconnection purpose in the first request message are written into the access token.

In some embodiments, the first NRF determines that the information of the NF that is allowed to access the first NF for the purpose of interconnection includes the information of the second NF, and the first NRF generates an access token, and the access token further includes: 2. NF information.

It should be understood that if the first NRF determines that the second NF can be authorized to access the service of the first NF for interconnection purposes, the information of the second NF in the first request message is written into the access token.

In some embodiments, the first NRF determines that the information of the NF that is allowed to access the first NF under the interconnection purpose includes the information of the second NF, and the information about the services that are allowed to be accessed under the interconnection purpose. Including the information of the first service, the first NRF generates an access token, which further includes the information of the second NF and the information of the first service.

It should be understood that if the first NRF determines that the second NF can be authorized to access the first service of the first NF for interconnection purposes, the information of the second NF and the information of the first service are written into the access token.

S450: The first NRF sends the access token to the second NF. Correspondingly, the second NF receives the access token sent from the first NRF.

The following describes a registration method 500 in conjunction with Figure 5. This method 500 is executed during the process of NF registering to NRF. As can be seen in Figure 5, method 500 includes:

S510: The NF service provider sends an NF registration message to the first NRF.

In the service-oriented system architecture, NF needs to be registered with NRF to provide services for other NFs. When an NF needs other NFs to provide services for it, it can first perform service discovery through NRF to discover the desired NF that provides services for it.

When NF performs registration with NRF, the NF registration message can carry the NF profile (NF profile). The NFprofile may indicate which NFs in which PLMNs the NF can provide services for, or may indicate which NFs the NF may provide services for, or may indicate which services the NF may provide.

It should be noted that the NF service provider can be any NF, and the first NRF is the NRF in the network where the NF service provider is located. To facilitate understanding, the NF service provider and the first NRF are used as examples for explanation.

For example, the NFprofile may include a list of PLMNs that are allowed to be accessed for interconnection purposes (allowedinterconnect PLMNs). The list of PLMNs that are allowed to be accessed for interconnection purposes includes one or more PLMNs. PLMNs in this list can access the NF in the interconnection scenario.

For example, the NF service provider carries a list of PLMNs (PLMN1, PLMN2) that are allowed to be accessed for interconnection purposes in the registration message. Then the service consumer in PLMN1 or PLMN2 can use the services provided by the NF service provider for interconnection purposes. . If the NF service consumer is located in another PLMN, the NF service consumer cannot use the services provided by the NF service provider.

For example, the first NF sends a registration message to the first NRF, and the registration message carries the list of PLMNs (PLMN1, PLMN2) that are allowed to be accessed for interconnection purposes. If the second NF is located in PLMN1 or PLMN2, the second NF can To use the services provided by the first NF for interconnection purposes, if the second NF is located in another PLMN, such as PLMN3, the second NF cannot use the services provided by the first NF.

Optionally, the list of PLMNs allowed to be accessed under the interconnection purpose can be expressed as "Interconnection purpose: list of PLMNs allowed to be accessed". That is, it indicates that the list of PLMNs allowed to be accessed is used for interconnection purposes.

Optionally, the NF profile may also include an NF type that is allowed to be accessed for interconnection purposes (allowedinterconnect NF type), and the NF type that is allowed to access includes one or more NF types. NF types within the allowed NF types can access the NF for interconnection purposes.

Optionally, the NF type allowed to be accessed under the interconnection purpose can be expressed as "Interconnection purpose: NFtype allowed to be accessed". That is, it indicates that the NF type that allows access is used for interconnection purposes.

For example, the NF service provider carries the allowed interconnectNF type in the registration message: (NF type 1, NF type 2), then the NF service consumer whose NF type is NF type 1 or NF type 2 can use the NF service provider. Serve. If the NF service consumer is of another NF type, the NF service consumer cannot use the services provided by the NF service provider. The allowed interconnectNF type can be understood as the NF type that allows access to the NF service provider.

For example, the first NF sends a registration message to the first NRF, and carries the allowedinterconnectNF type in the registration message: (NF type 1, NF type 2). If the second NF is NF type 1 or NF type 2, then the The second NF can use the services provided by the first NF. If the second NF is another NF type, such as NF type 3, the second NF cannot use the services provided by the first NF.

Optionally, the NFprofile may also include services that are allowed to be accessed for interconnection purposes (allowedinterconnect service), and the services that are allowed to be accessed include one or more services. The service that is allowed to be accessed can be accessed by other NFs for interconnection purposes.

Optionally, the services that are allowed to be accessed under the interconnection purpose can be expressed as "Interconnection purpose: services that are allowed to be accessed". That is, it indicates that the service that is allowed to be accessed is used for Internet purposes.

For example, the NF service provider carries allowed interconnectservice (service1, service 2) in the registration message, then the NF service consumer can use service 1 or service 2 provided by the NF service provider. If the NF service consumer requests to use other services of the NF service provider, such as service 3, the NF service provider can deny the NF service consumer the use of service 3. The allowed interconnectservice can be understood as a service that is allowed to be accessed for interconnection purposes.

For example, the first NF sends a registration message to the first NRF, and carries the allowedinterconnect service in the registration message: (service 1, service 2). If the second NF requests to use service 1 or service 2 provided by the first NF, then The first NF can authorize the second NF to use service 1 or service 2. If the second NF requests to use other services provided by the first NF, such as service 3, the first NF can deny the second NF the use of service 3.

S520, the first NRF stores the NF profile of the NF service provider.

After receiving the registration message, the first NRF can save the NF profile of the NF service provider. When a subsequent NF service consumer requests an access token from the first NRF, this NF profile can be used to verify whether the access token requested by the NF service consumer is authorized.

S530: The first NRF sends a registration acceptance message to the NF.

The following describes a method 600 for sending an access token in conjunction with Figure 6 . As can be seen in Figure 6, method 600 includes:

S610: The NF service consumer sends an access token acquisition request message to the second NRF.

In the service-oriented system architecture, when the NF service consumer requests services from the NF service provider, the NF service provider needs to perform an authorization check on the service requested by the NF service consumer, that is, check whether the NF service consumer is authorized to use the requested service. After the service passes the authorization check, the NF service provider can provide corresponding services to the NF service consumer.

For the authorization verification of the services requested by the NF service consumer by the NF service provider, an authorization verification scheme based on the access token can be used. Before the NF service consumer requests services from the NF service provider network element, the NF service consumer sends an access token acquisition request message to the authorized service network element to request the access token. For convenience, here NRF is used as the authorized service network element. Example to illustrate.

It should be noted that the NF service consumer is the NF that needs to use the service. The second NRF is the NRF of the network where the NF service consumer is located. The NF service provider is the NF that provides the service. The first NRF is the network where the NF service provider is located. NRF. NF service consumers and NF service providers can interchange identities, depending on who is the NF providing the service and who is the NF using the service. For example, a NF service consumer can provide services for other NFs. In this process, the NF service consumer can be called an NF service provider.

In the interconnection scenario, the access token acquisition request message includes the interconnection purpose and the PLMN identifier (customerPLMNID, cPLMN ID) of the network where the NF service consumer is located.

Optionally, the access token acquisition request message includes the NFtype or expected service name of the NF service consumer.

S620: The second NRF forwards the access token acquisition request message to the first NRF.

S630, the first NRF verifies whether the NF service consumer is authorized.

The first NRF verifies the information in the access token acquisition request message. Specifically, the first NRF verifies whether the information carried in the access token acquisition request message matches the corresponding information in the NF profile.

It should be noted that before S630, the NF service provider has been registered in the first NRF and carries the NF profile in the registration message.

Optionally, the first NRF may also pre-configure the NF profile of the NF service provider.

It should be understood that for each NF in the network, the NRF network element can pre-configure its corresponding NF profile.

It should be understood that the NF profile includes the allowed interconnect PLMN of the NF service provider.

It should be understood that when the NF profile includes an allowed interconnect PLMN, if the PLMN where the NF service consumer is located is in the allowed interconnect PLMN, the NF service consumer can be authorized. If the PLMN where the NF service consumer is located is not in the allowed interconnect PLMN, the NF service provider refuses to authorize the NF service consumer. It can be understood that the NF service consumer in any PLMN in the allowed interconnect PLMN can use the services provided by the NF service provider.

In this embodiment of the present application, the first NRF may verify whether the cPLMN ID carried in the access token acquisition request message is in the allowed interconnect PLMN. If the cPLMN ID is in the allowed interconnect PLMN, the request message can be authorized. If the cPLMN ID is not in the allowed interconnect PLMN, the NF service provider refuses authorization.

Optionally, the NF profile may also include the allowed interconnect NFtype or allowed interconnect service of the NF service provider.

It should be understood that when the NF profile includes the allowed interconnect NF type, the first NRF needs to verify whether the NF type of the NF service consumer carried in the access token acquisition request message is in the allowed interconnect NF type. If the NF type of the NF service consumer is In the allowed interconnect NF type, the request message can be authorized. If the NF type of the NF service consumer is not in the allowed interconnect NF type, the NF service provider refuses authorization.

It should be understood that when the NF profile includes an allowed interconnect service, the first NRF needs to verify whether the expected service name carried in the access token acquisition request message is in the allowed interconnect service. If the expected service name of the NF service consumer is in the allowed interconnect service, then The request message can be authorized. If the expected service name of the NF service consumer is not in the allowed interconnect service, the NF service provider refuses authorization.

If the above verification process passes, the first NRF generates an access token (access token), which includes the interconnect purpose and cPLMN ID.

It should be understood that the interconnect purpose and cPLMN ID in the access token may indicate that the access token can be used by the NF service consumer for access under the interconnection purpose, and the NF service consumer is located in the network indicated by the cPLMN ID.

Optionally, the access token may also include the NF type or service name of the NF service consumer.

It should be understood that the NF type in the access token may indicate the NF type of the NF service consumer that can be accessed using the access token.

It should be understood that the service name in the access token is the expected service name carried in the access token acquisition request message. That is, what service does the NF service consumer expect to use from the NF service provider? If the first NRF authorizes the NF service consumer to use the service, the name of the service is written into the access token, which can be used for Use this service from the NF service provider.

Optionally, the access token may also include the NF instance ID of the NF service consumer. S240: The first NRF sends an access token acquisition response message to the second NRF, where the response message includes the access token.

S650: The second NRF forwards the access token to the NF service consumer to obtain a response message, and the response message includes the access token.

It should be understood that S640 and S650 are used for the first NRF to send an access token acquisition response message to the NF service consumer.

For example, if the information in the access token acquisition request message is verified, the first NRF sends the generated access token to the NF service consumer through the access token acquisition response message. The access token acquisition response message may also include other information, such as NRF signature information, access token expiration time, etc.

Correspondingly, the NF service consumer receives the access token from the first NRF and saves the access token. During the validity period, it is used for subsequent service usage of accessing the NF service provider in the Internet scenario.

If the authorization verification in S630 fails, the first NRF sends an error response or a rejection response to the NF service consumer.

Optionally, if the authorization verification in S630 fails, the reason why the first NRF rejects the NF service consumer is, for example, the PLMN where the NF service consumer is located is illegal or the NF type of the NF service consumer is illegal, etc.

An authorization verification method 700 is introduced below with reference to Figure 7. This method 700 is a process of requesting services from an NF service provider. As can be seen in Figure 7, method 700 includes:

S701. The NF service consumer sends a service request message to the second SEPP. The service request message is used to request services from the NF service provider. The service request message includes the access token.

In this embodiment of the present application, the service request message includes the cPLMN ID, the purpose of the request, and the access token.

Optionally, the service request message may also include the NFtype of the NF service consumer.

Optionally, the service request message may also include expected servicename.

It should be understood that the access token includes authorized information, such as PLMN identifier and interconnect purpose.

Optionally, the access token can also include NF type.

Optionally, the access token can also include the service name.

It should be understood that the service request message is sent to the NF service provider, and during the message transmission process, the second SEPP plays a relay role.

It should be understood that the access token is protected by security, so malicious NF cannot tamper with the information in the access token. It may be the security protection of the access token by the network element (for example, the first NRF) that distributes the access token. For example, the first NRF uses the shared key to generate integrity protection parameters (such as message authentication code MAC) for the access token (or the information in the access token), and the second NF carries the integrity protection in the service request message. parameter. The first network element can verify whether the information in the access token has been tampered with based on the integrity protection parameter. For another example, the first NRF uses the private key to sign the information in the security token. During the authorization process, the signature can be verified to determine whether the information in the access token has been tampered with.

S702. The second SEPP verifies whether the service request message is authorized.

Specifically, the second SEPP verifies whether the information in the aceess token is the same as the information in the service request message.

The second SEPP verifies whether the request of purpose in the service request message and the interconnect purpose in the access token are the same, and verifies whether the cPLMN ID in the service request message and the PLMN identifier in the access token are the same.

Optionally, if the aces token includes NFtype, the second SEPP verifies whether the NF type of the NF service consumer in the service request message is the same as the NF type in the aces token.

Optionally, if the service name is included in the aces token, the second SEPP verifies whether the expected service in the service request message is the same as the service name in the aces token.

In addition, the second SEPP can also compare the expiration time in the access token with the current time to verify whether the access token has expired. Alternatively, the second SEPP can also verify whether the access token has been tampered based on the integrity protection parameters or signatures in the access token.

In the above verification process, if the information in the aceess token is the same as the information in the service request message, the verification passes. If they are not the same, the verification fails. If the above processes are all verified, in S703, the second SEPP forwards the service request message to the first SEPP.

If any of the above process verification fails, an error response or rejection response is sent to the NF service consumer.

S703. The second SEPP forwards the service request message to the first SEPP.

S704: The first SEPP verifies whether the service request message is authorized.

S704 is similar to S702. For details, please refer to the relevant description of S702.

It should be understood that S704 is an optional step. If the service request message has been verified in S702, the above verification of the service request message may not be performed in S704.

If the above processes are all verified, in S705, the first SEPP forwards the service request message to the NF service provider.

If any of the above process verification fails, an error response or rejection response is sent to the NF service consumer.

S705: The first SEPP forwards the service request message to the NF service provider.

S706: The NF service provider verifies whether the service request message is authorized.

Specifically, the NF service provider verifies whether the information in the aceess token is the same as the information in the service request message.

The NF service provider verifies whether the request of purpose in the service request message and the interconnect purpose in the access token are the same, and verifies whether the cPLMN ID in the service request message and the PLMN identifier in the access token are the same.

Optionally, if the NF type is included in the aces token, the NF service provider verifies whether the NF type of the NF service consumer in the service request message is the same as the NF type in the aces token.

Optionally, if the service name is included in the aces token, the NF service provider verifies whether the expected service in the service request message is the same as the service name in the aces token.

In addition, the NF service provider can also compare the expiration time in the access token with the current time to verify whether the access token has expired. The NF service provider can also verify whether the NF instance ID or NF type of the NF service provider in the access token is the same as its own id or type.

Optionally, the NF service provider can also perform integrity verification on the access token.

For example, the NF service provider obtains the access token from the service request message and performs integrity verification on the access token. For example, the service request message carries a MAC value generated by using a shared key pair with the information in the access token (the shared key is a key shared between the NF service provider and the NRF), then the NF service provider uses the shared key The key verifies the MAC value; for another example, if NRF signs the access token, the NF service provider uses NRF's public key to verify the signature.

If the above processes are all verified, the NF service provider can perform the service requested by the NF service consumer, and in S707, send a service response message to the NF service consumer. If any of the above process verification fails, an error response or rejection response is sent to the NF service consumer.

Optionally, the service request message may not carry the request purpose, but the interconnect purpose in the accesstoken shall be used for verification. That is, verify whether the accesstoken allows access.

S707, the NF service provider sends a service response message to the NF service consumer.

It should be understood that in S707, the service response message can be forwarded through the first SEPP and the second SEPP.

The following describes a service authorization method 800 in conjunction with Figure 8. This method 800 is a process for requesting services from an NF service provider. In method 800, the service consumer can send a service request message to the service provider, configure the parameter list by SEPP, and perform service authorization on the service request message. In this way, modifying SEPP configuration parameters can support service authorization in interconnection scenarios and support more fine-grained service access control.

As can be seen in Figure 8, method 800 includes:

S810, the second SEPP and/or the first SEPP configuration parameter list.

It should be noted that the first SEPP and NF service provider are located in the first PLMN, and the second SEPP and NF service consumer are located in the second PLMN.

Taking the first SEPP as an example for explanation, the first SEPP can configure information that allows access to the NF of the NF service provider for interconnection purposes.

It should be understood that there can be multiple NF service providers, and each NF service provider corresponds to information of one or more NFs. The NF information may be the type of NF or the ID of the NF instance. For example, the first NF service provider allows access by NF type 1 or NF type 2 NF service consumers for interconnection purposes.

By way of example, the parameter list of the first SEPP configuration may be as shown in Table 1.

Table 1

It should be understood that the parameter list in Table 1 above can be selected as needed and does not necessarily need to be configured in full.

It should be understood that the information (service consumers) of the NFs allowed to access in Table 1 indicates which service consumers can access the service providers. It can be understood that for each service provider, configure the service consumers that are allowed to access each service provider. The information (service providers) of the NF that is allowed to be accessed in Table 1 indicates which service providers can be accessed.

Taking the second SEPP as an example for explanation, the parameter list configured in the second SEPP can be as shown in Table 2.

Table 2

S820: The NF service consumer sends a service request message to the second SEPP.

The NF service consumer sends a service request message to the second SEPP. The service request message is used to request the NF service provider to provide services to the NF service consumer. The request message carries the purpose of request and the NF information of the NF service consumer.

Optionally, the service request message carries the identifier of the first PLMN.

Optionally, the service request message carries the identifier of the second PLMN.

Optionally, the service request message carries NF information of the NF service provider.

Optionally, the service request message carries expected service name.

S830: The second SEPP verifies whether the service request message is authorized.

For the purpose of interconnection, that is, when the purpose of request in the request message is interconnect purpose, the second SEPP can verify the service request message according to the configured parameter list. That is to say, the second SEPP can execute the NF service according to the configured parameters. The consumer's authorization to use the services of the NF service provider.

If the second SEPP is configured with the information of the NF that is allowed to be accessed, it is verified whether the NF information of the NF service consumer belongs to the information of the NF that is allowed to be accessed. If yes, the verification passes. If not, the verification fails.

If the second SEPP configures the information of the PLMN that allows the second PLMN to access, verify whether the first PLMN belongs to the information of the PLMN that allows the second PLMN to access. If yes, the verification passes. If not, the verification fails.

If the second SEPP is configured with the information of the NF that is allowed to be accessed, it is verified whether the NF information of the NF service provider belongs to the information of the NF that is allowed to be accessed. If yes, the verification passes. If not, the verification fails.

If the second SEPP is configured with the information of the service that is allowed to be accessed, verify whether the expected service name belongs to the information of the service that is allowed to be accessed. If yes, the verification passes. If not, the verification fails.

If the above verification process passes, the service request message is forwarded to the first SEPP in S840.

S840: The second SEPP forwards the service request message to the first SEPP.

S850: The first SEPP verifies whether the service request message is authorized.

If the purpose of request in the request message is interconnect purpose. The first SEPP can validate the service request message based on the configured parameter list:

If the first SEPP configures the information of the NF that is allowed to be accessed, it is verified whether the NF information of the NF service consumer belongs to the information of the NF that is allowed to be accessed. If yes, the verification passes. If not, the verification fails.

If the first SEPP is configured with the information of a PLMN that is allowed to access the first PLMN, it is verified whether the second PLMN belongs to the information of the PLMN that is allowed to access the first PLMN. If yes, the verification passes. If not, the verification fails.

If the first SEPP configures the information of the NF that is allowed to be accessed, it is verified whether the NF information of the NF service provider belongs to the information of the NF that is allowed to be accessed. If yes, the verification passes. If not, the verification fails.

If the first SEPP is configured with information about services that are allowed to be accessed, verify whether the expected service name belongs to the information about services that are allowed to be accessed. If yes, the verification passes. If not, the verification fails.

If the above verification process passes, the service request message is forwarded to the NF service provider in S860.

Optionally, the verification process performed by the first SEPP and the second SEPP may be performed by any one of the SEPPs.

It should be understood that the verification of the service request message by the first SEPP and the second SEPP may be preliminary verification or complete verification. After the first SEPP and the second SEPP verify, the NF service provider can continue to perform authorization verification on the service request message.

S860: The first SEPP forwards the service request message to the NF service provider.

Figure 9 is a schematic block diagram of an authorization verification device provided by an embodiment of the present application. The device 900 includes a transceiver unit 910 and a processing unit 920. The transceiver unit 910 can implement corresponding communication functions, and the processing unit 920 is used for data processing. The transceiver unit 910 may also be called a communication interface or a communication unit.

Optionally, the device 900 may also include a storage unit, which may be used to store instructions and/or data, and the processing unit 920 may read the instructions and/or data in the storage unit, so that the communication device implements the foregoing method implementation. example.

The device 900 may be used to perform the actions performed by the first network element (for example, the NF service provider, or the first SEPP, or the second SEPP) in the above method embodiment. In this case, the device 900 may be the first network element. A network element or a component that can be configured in the first network element. The transceiver unit 910 is configured to perform transceiver-related operations on the first network element side in the above method embodiment. The processing unit 920 is configured to perform the first transceiver operation in the above method embodiment. Operations related to network element processing.

Alternatively, the device 900 can be used to perform the actions performed by the NRF (first NRF or second NRF) in the above method embodiment. In this case, the device 900 can be an NRF or a component configurable in the NRF, the transceiver unit 910 The processing unit 920 is configured to perform operations related to the transmission and reception of the NRF in the above method embodiment, and the processing unit 920 is used to perform operations related to the processing of the NRF in the above method embodiment.

The device 900 can implement steps or processes corresponding to the execution of the first network element in the method 300 according to the embodiment of the present application; or, it can implement steps or processes corresponding to the first SEPP and the second SEPP in the method 700 according to the embodiment of the present application. or the steps or processes performed by the NF service provider. The apparatus 900 may include units for performing the method 300 in FIG. 3 or the method performed by the method 700 in FIG. 7 . Moreover, each unit in the device 900 and the above-mentioned other operations and/or functions are respectively intended to implement the corresponding processes of the method 300 or the method 700.

When the device 900 is used to execute the method 300 in FIG. 3 , the transceiver unit 910 can be used to execute step S301 in the method 300 , and the processing unit 920 can be used to execute step S302 in the method 500 .

When the device 900 is used to execute the method 700 in FIG. 7 , the transceiver unit 910 can be used to execute steps S701, S703, S705, and S707 in the method 700, and the processing unit 920 is used to instruct S702, S704, and S706 in the method 700.

It should be understood that the specific process of each unit performing the above corresponding steps has been described in detail in the above method embodiments, and will not be described again for the sake of brevity.

The device 900 can also implement steps or processes corresponding to the execution of the first SEPP and the second SEPP in the method 800 according to the embodiment of the present application, and the device 900 can include a unit for executing the method executed by the method 800 in Figure 8 . Moreover, each unit in the device 900 and the above-mentioned other operations and/or functions are respectively intended to implement the corresponding processes of the method 800.

When the device 900 is used to perform the method 800 in FIG. 8 , the transceiving unit 910 can be used to perform steps S820, S840 or S860 in the method 800, and the processing unit 920 can be used to perform steps S830 and S850 in the method 800.

It should be understood that the specific process of each unit performing the above corresponding steps has been described in detail in the above method embodiments, and will not be described again for the sake of brevity.

The device 900 may also implement steps or processes corresponding to the execution of the first NRF or the second NRF in the method 400, the method 500 or the method 600 according to the embodiment of the present application, and the device 900 may include a method for executing the method in Figure 4 400 or a unit of the method performed by method 500 in FIG. 5 or method 600 in FIG. 6 . Moreover, each unit in the device 900 and the above-mentioned other operations and/or functions are respectively intended to implement the corresponding processes of the method 400, the method 500, or the method 600.

When the device 900 is used to perform the method 400 in FIG. 4 , the transceiving unit 910 can be used to perform step S410 or S430 or S450 in the method 400 , and the processing unit 920 can be used to perform step S420 or S440 in the method 400 . When the device 900 is used to perform the method 500 in FIG. 5 , the transceiver unit 910 can be used to perform step S510 or S530 in the method 500 , and the processing unit 920 can be used to perform step S520 in the method 500 . When the device 900 is used to perform the method 600 in FIG. 6 , the transceiving unit 910 can be used to perform steps S610, S620, S640 or S650 in the method 600, and the processing unit 920 can be used to perform step S630 in the method 600.

It should be understood that the specific process of each unit performing the above corresponding steps has been described in detail in the above method embodiments, and will not be described again for the sake of brevity.

As shown in Figure 10, an embodiment of the present application also provides a device 1000. The device 1000 includes a processor 1010 coupled to a memory 1020 for storing computer programs or instructions and/or data, and the processor 1010 is used for executing the computer programs or instructions and/or data stored in the memory 1020, such that The methods in the above method embodiments are executed.

Optionally, the device 1000 includes one or more processors 1010 .

Optionally, as shown in Figure 10, the device 1000 may also include a memory 1020.

Optionally, the device 1000 may include one or more memories 1020 .

Optionally, the memory 1020 can be integrated with the processor 1010 or provided separately.

Optionally, as shown in Figure 10, the device 1000 may also include a transceiver 1030, which is used for receiving and/or transmitting signals. For example, the processor 1010 is used to control the transceiver 1030 to receive and/or transmit signals.

As a solution, the device 1000 is used to implement the operations performed by the first network element or the NF service provider or the security edge protection proxy network element (the first SEPP or the second SEPP) in the above method embodiment.

For example, the processor 1010 is used to implement processing-related operations performed by the first network element or the NF service provider or the security edge protection proxy network element (the first SEPP or the second SEPP) in the above method embodiment, and the transceiver 1030 It is used to implement the transceiver-related operations performed by the first network element or the NF service provider or the security edge protection proxy network element (the first SEPP or the second SEPP) in the above method embodiment.

As yet another solution, the device 1000 is used to implement the operations performed by the first NRF or the second NRF in the above method embodiment.

For example, the processor 1010 is used to implement processing-related operations performed by the first NRF or the second NRF in the above method embodiment, and the transceiver 1030 is used to implement the processing-related operations performed by the first NRF or the second NRF in the above method embodiment. Sending and receiving related operations.

It should be understood that the specific process of each module performing the above corresponding steps has been described in detail in the above method embodiments, and will not be described again for the sake of brevity.

Embodiments of the present application also provide a processing device, including a processor and an interface; the processor is configured to execute the method in any of the above method embodiments.

It should be understood that the above-mentioned processing device may be one or more chips. For example, the processing device may be a field programmable gate array (FPGA), an application specific integrated circuit (ASIC), a system on chip (SoC), or a A central processing unit (CPU) may also be a network processor (NP), a digital signal processor (DSP), or a microcontroller unit (MCU). ), or it can be a programmable logic device (PLD) or other integrated chip.

Embodiments of the present application also provide a computer-readable storage medium on which is stored the information provided by the first network element (NF service provider, first SEPP or second SEPP) or NRF (first NRF) for implementing the above method embodiment. or second NRF) computer instructions for performing a method.

For example, when the computer program is executed by a computer, the computer can implement the first network element (NF service provider, first SEPP or second SEPP) or NRF (first NRF or second NRF) in the above method embodiment. method of execution.

Embodiments of the present application also provide a computer program product containing instructions. When the instructions are executed by a computer, the computer implements the method executed by the first network element (NF service provider, first SEPP or second SEPP) in the above embodiments. method, or a method performed by an NRF (first NRF or second NRF).

An embodiment of the present application also provides a communication system, which includes at least two of the first network element, the first SEPP, the second SEPP, the first NRF, and the second NRF in the above embodiment.

Those skilled in the art can clearly understand that for the convenience and simplicity of description, the explanation and beneficial effects of the relevant content in any of the communication devices provided above can be referred to the corresponding method embodiments provided above, and will not be repeated here. Repeat.

The embodiments of this application do not specifically limit the specific structure of the execution body of the method provided by the embodiments of this application, as long as the program recorded in the code of the method provided by the embodiments of this application can be used according to the method provided by the embodiments of this application. Just communicate. For example, the execution subject of the method provided by the embodiment of the present application may be a terminal device or a network device, or a functional module in the terminal device or network device that can call a program and execute the program.

Various aspects or features of the present application may be implemented as methods, apparatus, or articles of manufacture using standard programming and/or engineering techniques. The term "article of manufacture" as used herein may encompass a computer program accessible from any computer-readable device, carrier or medium.

The computer-readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server or data center integrated with one or more available media. Available media (or computer-readable media) may include, for example, but are not limited to: magnetic media or magnetic storage devices (such as floppy disks, hard disks (such as mobile hard disks), magnetic tapes), optical media (such as optical disks, compact discs) , CD), digital versatile disk (digital versatile disc (DVD), etc.), smart cards and flash memory devices (e.g., erasable programmable read-only memory (EPROM), card, stick or key drive, etc.), Or semiconductor media (such as solid state disk (SSD), U disk, read-only memory (ROM), random access memory (RAM), etc.) that can store program code medium.

The various storage media described herein may represent one or more devices and/or other machine-readable media for storing information. The term "machine-readable medium" may include, but is not limited to, wireless channels and various other media capable of storing, containing and/or carrying instructions and/or data.

It should be understood that the memory mentioned in the embodiments of the present application may be a volatile memory or a non-volatile memory, or may include both volatile and non-volatile memories. Among them, the non-volatile memory can be read-only memory (ROM), programmable ROM (PROM), erasable programmable read-only memory (erasable PROM, EPROM), electrically removable memory. Erase programmable read-only memory (electrically EPROM, EEPROM) or flash memory. Volatile memory may be random access memory (RAM). For example, RAM can be used as an external cache. As an example and not a limitation, RAM may include the following forms: static random access memory (static RAM, SRAM), dynamic random access memory (dynamic RAM, DRAM), synchronous dynamic random access memory (synchronous DRAM, SDRAM) , double data rate synchronous dynamic random access memory (double data rate SDRAM, DDR SDRAM), enhanced synchronous dynamic random access memory (enhanced SDRAM, ESDRAM), synchronous link dynamic random access memory (synchlink DRAM, SLDRAM) and direct Memory bus random access memory (directrambus RAM, DR RAM).

It should be noted that when the processor is a general-purpose processor, DSP, ASIC, FPGA or other programmable logic device, discrete gate or transistor logic device, or discrete hardware component, the memory (storage module) can be integrated in the processor.

It should also be noted that the memories described herein are intended to include, but are not limited to, these and any other suitable types of memories.

In the several embodiments provided in this application, it should be understood that the disclosed devices and methods can be implemented in other ways. For example, the device embodiments described above are only illustrative. For example, the division of the above units is only a logical function division. In actual implementation, there may be other division methods. For example, multiple units or components may be combined or may be Integrated into another system, or some features can be ignored, or not implemented. In addition, the coupling or direct coupling or communication connection between each other shown or discussed may be through some interfaces, and the indirect coupling or communication connection of the devices or units may be in electrical, mechanical or other forms.

The units described above as separate components may or may not be physically separated. The components shown as units may or may not be physical units, that is, they may be located in one place, or they may be distributed to multiple network units. Some or all of the units can be selected according to actual needs to implement the solution provided by this application.

In addition, each functional unit in each embodiment of the present application can be integrated into one unit, or each unit can exist physically alone, or two or more units can be integrated into one unit.

In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof.

When implemented using software, it may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When computer program instructions are loaded and executed on a computer, the processes or functions according to the embodiments of the present application are generated in whole or in part. The computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable device. For example, the computer may be a personal computer, a server, or a network device. Computer instructions may be stored in or transmitted from one computer-readable storage medium to another computer-readable storage medium, e.g., computer instructions may be transmitted from a website, computer, server or data center via a wired link (e.g. Coaxial cable, optical fiber, digital subscriber line (DSL)) or wireless (such as infrared, wireless, microwave, etc.) means to transmit to another website site, computer, server or data center. Regarding the computer-readable storage medium, please refer to the above description.

The above are only specific embodiments of the present application, but the protection scope of the present application is not limited thereto. Any changes or substitutions that can be easily imagined by those skilled in the art within the technical scope disclosed in the present application are all should be covered by the protection scope of this application. Therefore, the protection scope of this application should be subject to the protection scope of the claims and the description.

Claims (33)

1. An authorization verification method, characterized by including: The first network element receives a service request message from a second network function located in a second terrestrial public mobile communication network. The service request message is used to request a first network located in a first terrestrial public mobile communication network. Function provides a first service to said second network function, said service request message comprising an access token, a purpose of the request and an identifier of said second terrestrial public mobile communications network, said access token comprising terrestrial public mobile communications network Network identifiers and interconnection purposes; The first network element performs the authorization of the second network function to use the first service. Before performing the authorization, determine the identifier of the second land public mobile communication network and the number in the access token. The land public mobile communication network identifier is the same, and the purpose of the request is the same as the interconnection purpose. 2. The method of claim 1, wherein the service request message further includes information about a second network function, and the access token further includes information about a network function; Before the authorization is executed, the method further includes: the first network element determining that the information of the second network function is the same as the information of the network function. 3. The method according to claim 1 or 2, wherein the service request message further includes information about the first service, and the access token includes information about the service; Before performing the authorization, the method further includes: the first network element determining that the information of the first service is the same as the information of the service. 4. The method according to any one of claims 1 to 3, characterized in that the method further comprises: The first network element refuses the second network function to use the first service, and before the refusal, determines the identifier of the second land public mobile communication network and the land public mobile phone number in the access token. The communication network identifier is not the same, and/or the purpose of the request is not the same as the purpose of the interconnection. 5. The method according to any one of claims 1 to 3, wherein the service request message further includes information of a second network function, and the access token further includes information of a network function; The method further includes: The first network element refuses the second network function to use the first service, and before the refusal, determines the identifier of the second land public mobile communication network and the land public mobile phone number in the access token. The communication network identifier is different, and/or the purpose of the request is different from the interconnection purpose, and/or the information of the second network function is different from the information of the network function. 6. The method according to any one of claims 1 to 3, wherein the service request message further includes information about a second network function and information about the first service, and the access token further includes Information about network functions and services; The method further includes: The first network element refuses the second network function to use the first service, and before the refusal, determines the identifier of the second land public mobile communication network and the land public mobile phone number in the access token. The communication network identifier is different, and/or the purpose of the request is different from the interconnection purpose, and/or the information of the second network function is different from the information of the network function, and/or the third The information for a service is not the same as the information for the service in question. 7. The method according to any one of claims 1 to 6, characterized in that, The first network element is: the first network function, a security edge protection agent network element in the first land public mobile communication network, or a security edge protection agent in the second land public mobile communication network network element. 8. A method of sending an access token, characterized by including: A first network storage function located in a first terrestrial public mobile communication network receives a registration request from a first network function located in the first terrestrial public mobile communication network, where the registration request includes a terrestrial public mobile communication network that is allowed to be accessed for interconnection purposes. A list, the list of terrestrial public mobile communication networks includes a second terrestrial public mobile communication network; The first network storage function completes the registration of the first network function; The first network storage function receives a first request message from a second network function located in the second land public mobile communication network, and the first request message is used to request an access token, so The access token is used to access a first service of a first network function located in the first terrestrial public mobile communication network, and the first request message includes an identifier of the second terrestrial public mobile communication network and the interconnection Purpose; In response to the first request message, the first network storage function generates the access token, the access token including an identifier of the second terrestrial public mobile communications network and the interconnection purpose; The first network storage function sends the access token to the second network function. 9. The method according to claim 8, characterized in that, The registration request further includes: information about network functions that are allowed to access the first network function under the interconnection purpose; The first request message further includes: information about the second network function; In response to the first request message, the first network storage function generates the access token, including: The first network storage function determines that the information of the network function that is allowed to access the first network function under the interconnection purpose includes the information of the second network function; The first network storage function generates the access token, and the access token also includes information about the second network function; or, The registration request further includes: information about network functions that are allowed to access the first network function under the interconnection purpose, and information about services that are allowed to be accessed under the interconnection purpose; The first request message further includes: information about the second network function and information about the first service; In response to the first request message, the first network storage function generates the access token, including: The first network storage function determines that the information about the network functions that are allowed to access the first network function under the interconnection purpose includes the information about the second network function, and the information about the services that are allowed to be accessed under the interconnection purpose includes Information about the first service; The first network storage function generates the access token, and the access token further includes information about the second network function and information about the first service. 10. A service authorization method, characterized by including: The security edge protection agent network element receives a service request message from a second network function located in a second terrestrial public mobile communication network, and the service request message is used to request a third terrestrial public mobile communication network located in the first terrestrial public mobile communication network. A network function provides a first service to the second network function; The secure edge protection agent network element performs the authorization of the second network function to use the first service according to configured parameters. The configured parameters include information about network functions that allow access to the first network function for interconnection purposes. , before the authorization is executed, it is determined that the information of the network function that is allowed to access the first network function under the interconnection purpose includes the information of the second network function. 11. The method according to claim 10, wherein the security edge protection agent network element is located in the first land public mobile communication network, and the configured parameters further include allowing access to the first land mobile communication network for interconnection purposes. List of terrestrial public mobile telecommunications networks, Before the authorization is performed, it further includes: determining that the list of land public mobile communication networks that are allowed to access the first land public mobile communication network for the interconnection purpose includes the second land public mobile communication network; Alternatively, the security edge protection agent network element is located in the second terrestrial public mobile communication network, and the configured parameters further include a list of terrestrial public mobile communication networks that are allowed to be accessed by the second terrestrial public mobile communication network for interconnection purposes. , Before the authorization is performed, the method further includes: determining that the list of terrestrial public mobile communication networks that are allowed to be accessed by the second terrestrial public mobile communication network for the interconnection purpose includes the first terrestrial public mobile communication network. 12. The method according to claim 10 or 11, characterized in that the configured parameters also include information about services that are allowed to be accessed under the interconnection purpose, Before the execution of the authorization, the method further includes: determining that the information of the services allowed to be accessed under the interconnection purpose includes the information of the first service carried in the service request message. 13. The method according to any one of claims 10 to 12, characterized in that the method further comprises: The security edge protection agent network element refuses the second network function to use the first service. Before the refusal, determines the network that is allowed to access the first network function for the interconnection purpose according to the configured parameters. The function information does not include the information of the second network function. 14. The method according to any one of claims 10 to 12, characterized in that the security edge protection agent network element is located in the first land public mobile communication network, and the configured parameters further include interconnection purposes. a list of terrestrial public mobile communications networks that are allowed to access said first terrestrial public mobile communications network, The method further includes: The security edge protection agent network element refuses the second network function to use the first service. Before the refusal, it is determined that access to the land public mobile communication of the first land public mobile communication network is allowed for the interconnection purpose. The list of networks does not include the second terrestrial public mobile communications network; Alternatively, the security edge protection agent network element is located in the second terrestrial public mobile communication network, and the configured parameters further include a list of terrestrial public mobile communication networks that are allowed to be accessed by the second terrestrial public mobile communication network for interconnection purposes. , The security edge protection agent network element refuses the second network function to use the first service. Before the refusal, it further includes: determining the land that is allowed to be accessed by the second land public mobile communication network for the purpose of interconnection. The list of public mobile communication networks does not include the first terrestrial public mobile communication network. 15. The method according to any one of claims 10 to 12, characterized in that the configured parameters also include information about services that are allowed to be accessed for the purpose of interconnection, The method further includes: The security edge protection proxy network element denies the second network function to use the first service, and before the rejection, it is determined that the information of the service allowed to be accessed does not include the information of the first service. 16. An authorization verification device, characterized by including: A transceiver unit configured to receive a service request message from a second network function located in a second terrestrial public mobile communication network, and the service request message is used to request a first terrestrial public mobile communication network located in the first terrestrial public mobile communication network. The network function provides a first service to the second network function, the service request message includes an access token, a purpose of the request and an identifier of the second land public mobile communication network, the access token includes a land public mobile communication network Communications network identifiers and interconnection purposes; A processing unit configured to perform authorization of the second network function to use the first service, and before performing the authorization, determine the identifier of the second terrestrial public mobile communication network and the terrestrial value in the access token. The public mobile communication network identifier is the same, and the purpose of the request is the same as the interconnection purpose. 17. The device according to claim 16, wherein the service request message further includes information about a second network function, and the access token further includes information about a network function; The processing unit is also used to: Before the execution authorization, it is determined that the information of the second network function is the same as the information of the network function. 18. The device according to claim 16 or 17, wherein the service request message further includes information about the first service, and the access token includes information about the service; The processing unit is further configured to: before the execution authorization, determine that the information of the first service is the same as the information of the service. 19. The device according to any one of claims 16 to 18, characterized in that the processing unit is also used for: Denying the second network function the use of the first service, before the rejection, it is determined that the identifier of the second terrestrial public mobile communications network is not the same as the terrestrial public mobile communications network identifier in the access token , and/or the purpose of the request is not the same as the purpose of the interconnection. 20. The device according to any one of claims 16 to 18, wherein the service request message further includes information of a second network function, and the access token further includes information of a network function; The processing unit is also used to: Denying the second network function the use of the first service, before the rejection, it is determined that the identifier of the second terrestrial public mobile communications network is not the same as the terrestrial public mobile communications network identifier in the access token , and/or the purpose of the request is different from the interconnection purpose, and/or the information of the second network function is different from the information of the network function. 21. The device according to any one of claims 16 to 18, wherein the service request message further includes information about a second network function and information about the first service, and the access token further includes Information about network functions and services; The processing unit is also used to: Denying the second network function the use of the first service, before the rejection, it is determined that the identifier of the second terrestrial public mobile communications network is not the same as the terrestrial public mobile communications network identifier in the access token , and/or the purpose of the request is different from the interconnection purpose, and/or the information about the second network function is different from the information about the network function, and/or the information about the first service is different from the information about the first service. The information for the above services is different. 22. The device according to any one of claims 16 to 21, characterized in that the device is: the first network function, the security edge protection agent network element of the first land public mobile communication network, Alternatively, the security edge protection agent network element of the second land public mobile communication network. 23. A device for sending tokens, characterized in that it includes: A transceiver unit configured to receive a registration request for a first network function located in the first terrestrial public mobile communication network, where the registration request includes a list of terrestrial public mobile communication networks that are allowed to be accessed for interconnection purposes, and the terrestrial public mobile communication network The list includes the second terrestrial public mobile communications network; A processing unit, configured to complete registration of the first network function; The transceiver unit is also configured to receive a first request message from a second network function, the second network function is located in the second land public mobile communication network, and the first request message is used to request an access token, The access token is used to access a first service of a first network function located in the first terrestrial public mobile communication network, and the first request message includes an identifier of the second terrestrial public mobile communication network and the Internet purpose; The processing unit is further configured to generate the access token in response to the first request message, the access token including the identifier of the second land public mobile communication network and the interconnection purpose; The transceiver unit is also configured to: send the access token to the second network function. 24. The device according to claim 23, wherein the registration request further includes: information about network functions that are allowed to access the first network function under the interconnection purpose; The first request message further includes: information about the second network function; The processing unit is specifically configured to: determine that the information of the network function that is allowed to access the first network function under the interconnection purpose includes the information of the second network function; The first network storage function generates the access token, and the access token also includes information about the second network function; or, The registration request further includes: information about network functions that are allowed to access the first network function under the interconnection purpose, and information about services that are allowed to be accessed under the interconnection purpose; The first request message further includes: information about the second network function and information about the first service; The processing unit is specifically configured to: determine that the information about the network function includes information about the second network function, and that the information about services allowed to be accessed under the interconnection purpose includes information about the first service; The access token is generated, and the access token further includes information about the second network function and information about the first service. 25. A device for service authorization, characterized by including: A transceiver unit configured to receive a service request message from a second network function located in a second terrestrial public mobile communication network, and the service request message is used to request a first terrestrial public mobile communication network located in the first terrestrial public mobile communication network. The network function provides the first service to the second network function; A processing unit configured to perform authorization for the second network function to use the first service. The configured parameters include information on network functions that are allowed to access the first network function for interconnection purposes. Before the authorization is performed, according to The configured parameters determine that the information of the network function that is allowed to access the first network function under the interconnection purpose includes the information of the second network function. 26. The device according to claim 25, wherein the device is located in the first terrestrial public mobile communication network, and the configured parameters further include allowing access to the first terrestrial public mobile communication network for interconnection purposes. List of terrestrial public mobile communications networks, The processing unit is further configured to: before performing the authorization, determine according to the configured parameters that a list of land public mobile communication networks that are allowed to access the first land public mobile communication network for the interconnection purpose includes the third land public mobile communication network. 2. Land public mobile communication network; or, The processing unit is further configured to: before performing the authorization, determine according to the configured parameters that a list of land public mobile communication networks that are allowed to be accessed by the second land public mobile communication network for the interconnection purpose includes the third land public mobile communication network. A land public mobile communication network, the device is located in the second land public mobile communication network, and the configured parameters also include a list of land public mobile communication networks that are allowed to be accessed by the second land public mobile communication network for interconnection purposes. . 27. The device according to claim 25 or 26, wherein the configured parameters also include information about services that are allowed to be accessed for the purpose of interconnection, The processing unit is further configured to: before performing the authorization, determine according to the configured parameters that the information of the services allowed to be accessed under the interconnection purpose includes the information of the first service carried in the service request message. 28. The device according to any one of claims 25 to 27, wherein the processing unit is further configured to: deny the second network function to use the first service, and before the denial, according to The configured parameters determine that the information of the network function that is allowed to access the first network function under the interconnection purpose does not include the information of the second network function. 29. The device according to any one of claims 25 to 27, characterized in that the device is located in the first land public mobile communication network, and the configured parameters further include allowing access to the third land mobile communication network for interconnection purposes. a list of terrestrial public mobile telecommunications networks, The processing unit is further configured to: deny the second network function to use the first service, and before the denial, determine according to the configured parameters to allow access to the first land public mobile communication for the interconnection purpose The list of terrestrial public mobile communication networks of the network does not include the second terrestrial public mobile communication network; Alternatively, the device is located in the second terrestrial public mobile communication network, and the configured parameters further include a list of terrestrial public mobile communication networks that are allowed to be accessed by the second terrestrial public mobile communication network for interconnection purposes, The processing unit is further configured to: deny the second network function to use the first service, and before the denial, determine according to the configured parameters to allow the second land public mobile communication network for the interconnection purpose. The list of visited terrestrial public mobile communication networks does not include the first terrestrial public mobile communication network. 30. The device according to any one of claims 25 to 27, wherein the configured parameters also include information about services that are allowed to be accessed for the purpose of interconnection, The processing unit is further configured to: deny the second network function to use the first service. Before the denial, determine according to the configured parameters that the information of the service allowed to be accessed does not include the first service. Service information. 31. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program, and when the computer program is run on a computer, it causes the computer to execute any one of claims 1 to 7 The method either causes the computer to perform the method described in claim 8 or 9, or causes the computer to perform the method described in any one of claims 10 to 15. 32. A computer program product, characterized in that it includes computer program instructions. When the computer program instructions are run on a computer, they cause the computer to perform the method according to any one of claims 1 to 7, or cause the computer to perform The method according to claim 8 or 9, or causing the computer to perform the method according to any one of claims 10 to 15. 33. A communication device, characterized by comprising at least one processor configured to execute a computer program or instructions stored in a memory to perform the method of any one of claims 1 to 7 Method, either to perform a method as claimed in claim 8 or 9, or to perform a method as described in any one of claims 10 to 15.