.wpb_animate_when_almost_visible { opacity: 1; }

Please be informed of a planned maintenance operation from 17th of September 05:00 UTC to 17th of September 07:30 UTC . Some service disruption is expected and the Orange Developer portal will be temporarily unavailable during this operation. Thank you for your understanding.

Number Verification - CAMARA - France

Verify phone numbers efficiently to ensure data integrity and enhance user authentication processes

Use this API Contact us

Number Verification
OAS 3.0

https://developer.orange.com/ope-contents/channels/87afd7365baec589/offers/i3xfnv2SBRBO33nc/products/2H4x4iCuptJKO9ho/contents/swagger/yIGPNb9vc8QtkAnn/number-verify (1).yaml

Service Enabling Network Function API to verify that the provided mobile phone number is the one used in the device. It verifies that the user is using a device with the same mobile phone number as it is declared. It also makes it possible for a Service provider to verify the number itself by returning the phone number associated to the authenticated user's access token.

In this API phone number term refers to the mobile phone number


Number Verification API performs real-time checks to verify the phone number of the mobile device being used to access a service provider (SP) service, where the mobile device is accessing the service provider over a mobile network (WiFi connections are out of this API scope) either by getting the comparison result or receiving the phone number of the device that it is used, so they can verify it themselves.

It uses direct mobile network connections to verify possession of a phone number in the background without requiring user interaction. There are neither OTPs (One-time passwords) received by SMS nor authenticator app downloads, so it is much simpler. It can be used at sign up, login, or transaction time to validate that a user's SIM (Subscriber Identity Module) is both actively connected to the mobile network and not spoofed or cloned.

Relevant Definitions and Concepts

  • Network-Based Authentication: Authentication mechanism based on the identification of the endpoint of a network connection. Network operators know to which user a network resource is assigned at a given moment, for example the mobile phone number associated to a specific mobile network connection.

API Functionality

This enables a Service Provider (SP) to verify the phone number of the mobile device being used to access their service where the mobile device is accessing the service provider over a mobile network (WiFi connections are out of this API scope). This can happen either by getting the comparison result or receiving the phone number of the device that is used, so they can verify it themselves.

Resources and Operations overview

This API currently provides two endpoints where both require a 3-legged token and authentication via mobile network (excluding for example by SMS/OTP or user/password as an authentication method):

  • The first one checks if the user mobile phone number matches the phone number associated with the mobile device. It can receive either a hashed or a plain text phone number as input and it compares the received input with the authenticated user's phone number associated to the access token in order to respond true/false.
  • The next one retrieves the phone number associated to the user's token and returns it so the verification can be made by the service provider.

Sequence Diagram

Number Verification API uses the standard OAuth2 Authorization Code grant. The following diagram will help to clarify the end-to-end process, including previous steps prior to this API call.

UML Sequence Diagram

Additional details:

  • (1): Authentication must be automatic without any user interactions. Authentication methods such as SMS OTP or user/password are incompatible, as the goal is to validate the mobile phone number that is accessing the App. So it is required to be authentication via mobile network and without the user being involved. the use of parameter prompt=none, as described in OIDC Connect, ensures no user interaction.

  • (2): The way in which the phone_number is retrieved depends on the implementation. For example, access token may be a self contained encrypted JWT, so API can decrypt and identify phone_number. Some other implementations might request the phone_number associated to the token from Authserver.

Authorization and authentication

CAMARA guidelines defines a set of authorization flows which can grant API clients access to the API functionality, as outlined in the document CAMARA-API-access-and-user-consent.md. Which specific authorization flows are to be used will be determined during onboarding process, happening between the API Client and the Telco Operator exposing the API, taking into account the declared purpose for accessing the API, while also being subject to the prevailing legal framework dictated by local legislation.

It is important to remark that in cases where personal user data is processed by the API, and users can exercise their rights through mechanisms such as opt-in and/or opt-out, the use of 3-legged access tokens becomes mandatory. This measure ensures that the API remains in strict compliance with user privacy preferences and regulatory obligations, upholding the principles of transparency and user-centric data control.

In the case of the Number Verification API scenario and according to the API definition, 3-legged access tokens must be used by API clients to invoke this API with dedicated scope. The API client must authenticate on behalf of a specific user to use this service. This must be done via mobile network authentication.

Further info and support

GSMA Mobile Connect Verified MSISDN specification was used as source of input for this API. For more about Mobile Connect, please see Mobile Connect website.

Project documentation at CAMARA
Computed URL:http://localhost:9091/number-verification/v0

Server variables


Phone number verify

API operation to verify a phone number received as input. It can be received either in plain text or hashed format.

Phone number share

API operation to return the phone number associated to the access token.

    • HTTP status codereasonresponse model
      400List of supported error codes:
      - 20: Invalid URL parameter value
      - 21: Missing body
      - 22: Invalid body
      - 23: Missing body field
      - 24: Invalid body field
      - 25: Missing header
      - 26: Invalid header value
      - 27: Missing query-string parameter
      - 28: Invalid query-string parameter value
        "code": 28,
        "message": "Invalid query-string parameter value",
        "description": "One or more query-string parameters contain invalid values."
      401List of supported error codes:
      - 40: Missing credentials
      - 41: Invalid credentials
      - 42: Expired credentials
        "code": 42,
        "message": "Expired credentials",
        "description": "The requested service needs credentials, and the ones provided were out-of-date."
      403List of supported error codes:
      - 50: Access denied
      - 51: Forbidden requester
      - 52: Forbidden user
      - 53: Too many requests
        "code": 53,
        "message": "Too many requests",
        "description": "The application has made too many calls and has exceeded the rate limit for this service."
      404List of supported error codes:
      - 60: Resource not found
        "code": 60,
        "message": "Resource not found",
        "description": "The requested URI or the requested resource does not exist."
      405List of supported error codes:
      - 61: Method not allowed
        "code": 61,
        "message": "Method not allowed",
        "description": "The URI does not support the requested method. The available methods should be set in the response header 'Allow'"
      406List of supported error codes:
      - 62: Not acceptable
        "code": 62,
        "message": "Not acceptable",
        "description": "The Accept incoming header does not match any available content-type."
      408List of supported error codes:
      - 63: Request time-out
        "code": 63,
        "message": "Request time-out",
        "description": "The server timed out waiting for the incoming request."
      409List of supported error codes:
      - 69: Conflict
        "code": 69,
        "message": "Conflict",
        "description": "The request could not be completed due to a conflict with the current state of the resource."
      411List of supported error codes:
      - 64: Length required
        "code": 64,
        "message": "Length required",
        "description": "The request did not specify a Content-Length header, which is required by the requested resource."
      412List of supported error codes:
      - 65: Precondition failed
        "code": 65,
        "message": "Precondition failed",
        "description": "One of the precondition request headers (aka. 'If-None-Match', 'If-Match', 'If-Modified-Since', and 'If-Unmodified-Since') failed to match."
      413List of supported error codes:
      - 66: Request entity too large
        "code": 66,
        "message": "Request entity too large",
        "description": "The body of the request/response (PATCH, POST and PUT methods) is larger than the server is willing or able to process."
      414List of supported error codes:
      - 67: Request-URI too long
        "code": 67,
        "message": "Request-URI too long",
        "description": "The URI provided was too long for the server to process."
      415List of supported error codes:
      - 68: Unsupported Media Type
        "code": 68,
        "message": "Unsupported Media Type",
        "description": "The format of the posted body is not supported by the endpoint."
      429List of supported error codes:
      - 53: Too many requests
        "code": 53,
        "message": "Too many requests",
        "description": "The application has made too many calls and has exceeded the rate limit for this service."
      500List of supported error codes:
      - 1: Internal error
        "code": 1,
        "message": "Internal error",
        "description": "Generic failure message, used if no more precise code can be provided."
      502List of supported error codes:
      - 1: Internal error
      - 3: Bad gateway
        "code": 1,
        "message": "Bad gateway",
        "description": "A runtime execution error occurs (RaiseFault)."
      503List of supported error codes:
      - 5: The service is temporarily unavailable
      - 6: Orange API is over capacity, retry later !
        "code": 6,
        "message": "Orange API is over capacity, retry later !",
        "description": "The service faces too much requests and can not handle the call."
      504List of supported error codes:
      - 6: Gateway timeout
        "code": 6,
        "message": "Gateway timeout",
        "description": "No response was received in time from a backend server acting as gateway or proxy."