Remove INVALID_TOKEN_CONTEXT

[bigludo7]

          A valid 3-legged access token implies that an identifier is associated with the access token which can be used to identify the subscription. This identifier can be a MSISDN but it can be anything the API provider seems fit e.g. IMSI or ICCID. 

I think that the case where there is a valid access token that is not associated with a subscription identifier (phone number) does not exist if the access token was created using a 3-legged flow.

I suggest that Commonalities defines an error for all APIs that means that the API provider tried network-based authentication but failed. I would go with
{
"status": 400,
"code": "BAD REQUEST",
"message": "identifying the subscription failed"
}
if the API consumer failed to send the code request over a CSP connection controlled by the API provider.

If CIBA is used, then this case can not happen, because the login_hint is backed into the access token. But CIBA does not really identify the end-user, which I think is important in most jurisdictions.

Regarding CIBA vs OIDC authorization code flow with Age Verification, I think the API description should have some text explaining to the API consumer that CIBA uses an authentication device and if a minor has access to their parent's or to some other adult's mobile phone then CIBA relies on the adult's ability to keep their mobile phone out of the hands of the minor.
OIDC authorization code flow could make use of network-based authentication but then the age of the subscriber is verified and not the age of the end-user. If Age Verification promises to the API consumer that it verifies the age of the end-user then, OIDC authorization code flow with max_age=0 is the only solution, I think.

Originally posted by @AxelNennker in #161 (comment)

[bigludo7]

Response from @fernandopradocabrillo

I think that, speaking only about Number Verification API, the INVALID_TOKEN_CONTEXT error cannot happen. This API is intended to use with Auth Code Network auth, which means 3-legged and, as Axel said, is not possible to have a valid access token not associated with an identifier.

The invalid token context error is checking the same as the core functionality of the API, which is that the phone number used for the network based authentication is the same one included in the request body. If they don't match, number verification returns a false.

What we wanted to check with @trehman-gsma is how this error has been tested in previous versions. I think it was excluded based on technical limitations.

If we have no use for this error, maybe it is best to remove it, even if we have to upgrade the major version.

[eric-murray]

I suggest that Commonalities defines an error for all APIs that means that the API provider tried network-based authentication but failed. I would go with
{
"status": 400,
"code": "BAD REQUEST",
"message": "identifying the subscription failed"
}

If the authorisation server cannot identify the device (and hence the subscription) in the authorisation code flow, then the flow will fail and no access token will be generated. So it should not get to the point where an access token is created with no associated subscription identifier.

If that happened, I think that would be a 500 error, as the API provider implementation is broken. If a "one off" and it is expected to work the next time, then maybe a 401, as the solution would be for the API consumer to get a new token.

If the access token is long lived, there is the possibility that the mobile subscription itself has been deleted during the lifetime of the token. The solution here is probably not to have long lived access tokens, but otherwise a 401 will tell the API consumer to get a new token.

I don't think CAMARA need standardise any of this behaviour.

[fernandopradocabrillo]

Agree, I think we should remove it since this error cannot happen, particulary in this API where the main functionality is basically check the input identifier against the token

[bigludo7]

@fernandopradocabrillo @eric-murray @AxelNennker I guess I can move forward on removing INVALID_TOKEN_CONTEXT as seems we have an alignement (I will trigger a PR) - Question now is to assess if we need to introduce a specific 400 code or not.

I understood

1. this point is not relevant only for this API but all so should be discussed in Commonalities
2. we're not all aligned (yet) if the 400 is necessary or not.