feat: define token-type-dependent phoneNumber handling for registration POST /sessions (#158)#187
Merged
stroncoso merged 2 commits intoJul 6, 2026
Conversation
…on POST /sessions (camaraproject#158) dds an optional phoneNumber field to POST /sessions and defines token-type-dependent subscriber identification. - Three-legged token: phoneNumber resolved from token, MUST NOT be in body (422 UNNECESSARY_IDENTIFIER). - Two-legged token: phoneNumber MUST be in body (422 MISSING_IDENTIFIER). Adds the optional phoneNumber property and the CreateSessionUnprocessable422 response. Existing (deviceId, phoneNumber) uniqueness and 409 behaviour unchanged. Signed-off-by: Deepak Jaiswal <deepak.jaiswal1@t-mobile.com>
…legged) (camaraproject#158) document 403 PERMISSION_DENIED for unauthorized phoneNumber (2-legged) (camaraproject#158) Signed-off-by: Deepak Jaiswal <deepak.jaiswal1@t-mobile.com>
Contributor
|
Hi @deepakjaiswal1 , Please use the standarized template for PRs:
Now that we have an automated release process, we need to keep the PR descriptions on track with the official template. Sorry for the extra work here 🙇 Thanks |
Collaborator
Author
|
@stroncoso I updated the PR description per CAMARA standard template. Warm regards, |
Contributor
|
Thanks @deepakjaiswal1 , but you close the PR on the way... Did you intended that? If you reopen it, I can review and approve. Thanks! |
Collaborator
Author
|
@stroncoso I have re-opened the PR. |
stroncoso
approved these changes
Jul 6, 2026
stroncoso
left a comment
Contributor
There was a problem hiding this comment.
LGTM. Thanks for your contribution!
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What type of PR is this?
Add one of the following kinds:
What this PR does / why we need it:
WebRTC registrations target softphones, which are decoupled from any SIM. As a result, a single
deviceIdcan be associated with more than one phone number — for example, an enterprise activating one number from its pool on a user's device. This raises the question of how a specific number is selected at registration.In the CAMARA model, an access token identifies at most one subscriber, and the way the subscriber's
phoneNumberis determined depends on the type of token:phoneNumberserver-side.phoneNumberexplicitly.Previously the spec only covered the three-legged case, leaving no way to register a specific number under a two-legged token.
Which issue(s) this PR fixes:
Fixes #158
Special notes for reviewers:
Strict handling of the identifier by token type:
phoneNumberMUST NOT be in the request body (resolved from the token); if present →422 UNNECESSARY_IDENTIFIER.phoneNumberMUST be in the request body; if omitted →422 MISSING_IDENTIFIER.Rejecting (rather than validating) a body
phoneNumberunder a three-legged token also prevents the endpoint from being used as an MSISDN lookup/verification oracle.Changes in this PR: new optional
phoneNumberinRegSessionRequest(references existingPhoneNumberschema, stays out ofrequired);POST /sessionsdescription updated; new422responseCreateSessionUnprocessable422(MISSING_IDENTIFIER,UNNECESSARY_IDENTIFIER) referenced fromPOST /sessions; uniqueness-constraint wording generalised for both token types.Non-breaking:
phoneNumberdid not previously exist in the request body, so the new422rules cannot reject previously-valid requests. Existing (deviceId,phoneNumber) uniqueness and409 ALREADY_EXISTSbehaviour unchanged. Validated with OpenAPI 3.0.3 schema validation and Spectral (no new findings). Approach settled in the WG discussion on #158.Changelog input
Additional documentation
Reference: CAMARA Identity and Consent Management (Security & Interoperability Profile) — access-token types and server-side subscriber identity resolution.