.wpb_animate_when_almost_visible { opacity: 1; }

Device Location Verification - CAMARA Sandbox

  • Network APIs
  • Location

Implement precise location-based services by confirming if a device is within a specified geographical area

Use this API Contact us
Download

Device Location Verification
 1.0.0 
OAS 3.0

https://developer.orange.com/ope-contents/channels/87afd7365baec589/offers/MudHtY8gms1QsLde/products/Xbsz85FptL9slIb3/contents/swagger/6QHFQx2DbImZP0pn/location-verification.v1.0.0.OD.yaml

This API provides the consumer with the ability to verify the location of a device.

Introduction

API consumers are able to verify whether the location of certain user device is within the area specified. Currently the only area supported as input is a circle determined by a set of coordinates (latitude and longitude) and some expected accuracy (radius).

The verification result depends on the network's ability and accuracy to locate the device at the requested area.

  • If the network's estimation of the device's location is fully contained within the requested area, the verification result is TRUE.
  • If the network's estimation of the device's location does not overlap with the requested area at all, the verification result is FALSE.
  • If the network's estimation of the device's location partially overlaps with the requested area, or it fully contains the requested area (because it is larger), the result is 'PARTIAL'. In this case, a match_rate is included in the response, indicating an estimation of the likelihood of the match in percent.
  • Lastly, the network may not be able to locate the device. In this case, the verification result is UNKNOWN.

The client may optionally include a maxAge indication. If the location information known to the server is older than the specified maxAge, an error 422 with code LOCATION_VERIFICATION.UNABLE_TO_FULFILL_MAX_AGE is sent back.

lastLocationTime will be always included in the success response unless there is no historical location information available for the device. In this case, UNKNOWN will be returned without lastLocationTime.

Location Verification could be useful in scenarios such as:

  • Fraud protection, to ensure a given user is located in the location area claimed for financial transactions.
  • Verification of GPS coordinates reported by the app on a device, to ensure the GPS was not faked, e.g. for content delivery with regional restrictions.
  • Contextual-based advertising, to trigger advertising after verifying the device is in the area of interest.
  • Smart mobility (vehicle / bikes renting), to confirm the location of the device and the location of the vehicle/bike to guarantee they are rented correctly.

Relevant terms and definitions

  • Device: A device refers to any physical entity that can connect to a network and participate in network communication.

  • Area: It specifies the geographical surface where a device may be physically located.

  • Max Age: Maximum age of the location information which is accepted for the location verification (in seconds).

    • Absence of maxAge means "any age" is acceptable for the client. In other words, this is like maxAge=infinite. In this case the system will still return lastLocationTime, if available.
    • maxAge=0 means a fresh calculation is requested by the client. If the system is not able to provide the fresh location, an error 422 with code LOCATION_VERIFICATION.UNABLE_TO_FULFILL_MAX_AGE is sent back.
  • Verification: Process triggered in the API server to confirm or contradict the expectation assumed by the API client about the device location.

API Functionality

The API exposes a single endpoint/operation:

  • Verify whether the device location is within a requested area, currently a circle with center specified by the latitude and longitude, and radius specified by the accuracy. The operation returns a verification result and, optionally, a match rate estimation for the location verification in percent.

Authorization and authentication

The "Camara Security and Interoperability Profile" provides details on how a client requests an access token. Please refer to Identify and Consent Management (https://github.com/camaraproject/IdentityAndConsentManagement/) for the released version of the Profile.

Which specific authorization flows are to be used will be determined during onboarding process, happening between the API Client and the API Provider, taking into account the declared purpose for accessing the API, while also being subject to the prevailing legal framework dictated by local legislation.

It is important to remark that in cases where personal user data is processed by the API, and users can exercise their rights through mechanisms such as opt-in and/or opt-out, the use of 3-legged access tokens becomes mandatory. This measure ensures that the API remains in strict compliance with user privacy preferences and regulatory obligations, upholding the principles of transparency and user-centric data control.

Identifying a device from the access token

This specification defines the device object field as optional in API requests, specifically in cases where the API is accessed using a 3-legged access token, and the device can be uniquely identified by the token. This approach simplifies API usage for API consumers by relying on the device information associated with the access token used to invoke the API.

Handling of device information:

Optional device object for 3-legged tokens:

  • When using a 3-legged access token, the device associated with the access token must be considered as the device for the API request. This means that the device object is not required in the request, and if included it must identify the same device, therefore it is recommended NOT to include it in these scenarios to simplify the API usage and avoid additional validations.

Validation mechanism:

  • The server will extract the device identification from the access token, if available.
  • If the API request additionally includes a device object when using a 3-legged access token, the API will validate that the device identifier provided matches the one associated with the access token.
  • If there is a mismatch, the API will respond with a 403 - INVALID_TOKEN_CONTEXT error, indicating that the device information in the request does not match the token.

Error handling for unidentifiable devices:

  • If the device object is not included in the request and the device information cannot be derived from the 3-legged access token, the server will return a 422 UNIDENTIFIABLE_DEVICE error.

Restrictions for tokens without an associated authenticated identifier:

  • For scenarios which do not have a single device identifier associated to the token during the authentication flow, e.g. 2-legged access tokens, the device object MUST be provided in the API request. This ensures that the device identification is explicit and valid for each API call made with these tokens.

Further info and support

(FAQs will be added in a later version of the documentation)

Apache 2.0
Project documentation at CAMARA
Servers
Computed URL:https://api.orange.com/camara/orange-lab/location-verification/v1

Server variables

apiRoot
basePath

Location verification

Verification of the location of a device

HTTP status code Reason Response model
400 List of supported error codes:
- 20: Invalid URL parameter value
- 21: Missing body
- 22: Invalid body
- 23: Missing body field
- 24: Invalid body field
- 25: Missing header
- 26: Invalid header value
- 27: Missing query-string parameter
- 28: Invalid query-string parameter value		 
{
  "code": 28,
  "message": "Invalid query-string parameter value",
  "description": "One or more query-string parameters contain invalid values."
}
401 List of supported error codes:
- 40: Missing credentials
- 41: Invalid credentials
- 42: Expired credentials		 
{
  "code": 42,
  "message": "Expired credentials",
  "description": "The requested service needs credentials, and the ones provided were out-of-date."
}
403 List of supported error codes:
- 50: Access denied
- 51: Forbidden requester
- 52: Forbidden user
- 53: Too many requests		 
{
  "code": 53,
  "message": "Too many requests",
  "description": "The application has made too many calls and has exceeded the rate limit for this service."
}
404 List of supported error codes:
- 60: Resource not found		 
{
  "code": 60,
  "message": "Resource not found",
  "description": "The requested URI or the requested resource does not exist."
}
405 List of supported error codes:
- 61: Method not allowed		 
{
  "code": 61,
  "message": "Method not allowed",
  "description": "The URI does not support the requested method. The available methods should be set in the response header 'Allow'"
}
406 List of supported error codes:
- 62: Not acceptable		 
{
  "code": 62,
  "message": "Not acceptable",
  "description": "The Accept incoming header does not match any available content-type."
}
408 List of supported error codes:
- 63: Request time-out		 
{
  "code": 63,
  "message": "Request time-out",
  "description": "The server timed out waiting for the incoming request."
}
409 List of supported error codes:
- 69: Conflict		 
{
  "code": 69,
  "message": "Conflict",
  "description": "The request could not be completed due to a conflict with the current state of the resource."
}
411 List of supported error codes:
- 64: Length required		 
{
  "code": 64,
  "message": "Length required",
  "description": "The request did not specify a Content-Length header, which is required by the requested resource."
}
412 List of supported error codes:
- 65: Precondition failed		 
{
  "code": 65,
  "message": "Precondition failed",
  "description": "One of the precondition request headers (aka. 'If-None-Match', 'If-Match', 'If-Modified-Since', and 'If-Unmodified-Since') failed to match."
}
413 List of supported error codes:
- 66: Request entity too large		 
{
  "code": 66,
  "message": "Request entity too large",
  "description": "The body of the request/response (PATCH, POST and PUT methods) is larger than the server is willing or able to process."
}
414 List of supported error codes:
- 67: Request-URI too long		 
{
  "code": 67,
  "message": "Request-URI too long",
  "description": "The URI provided was too long for the server to process."
}
415 List of supported error codes:
- 68: Unsupported Media Type		 
{
  "code": 68,
  "message": "Unsupported Media Type",
  "description": "The format of the posted body is not supported by the endpoint."
}
429 List of supported error codes:
- 53: Too many requests		 
{
  "code": 53,
  "message": "Too many requests",
  "description": "The application has made too many calls and has exceeded the rate limit for this service."
}
500 List of supported error codes:
- 1: Internal error		 
{
  "code": 1,
  "message": "Internal error",
  "description": "Generic failure message, used if no more precise code can be provided."
}
502 List of supported error codes:
- 1: Internal error
- 3: Bad gateway		 
{
  "code": 1,
  "message": "Bad gateway",
  "description": "A runtime execution error occurs (RaiseFault)."
}
503 List of supported error codes:
- 5: The service is temporarily unavailable
- 6: Orange API is over capacity, retry later !		 
{
  "code": 6,
  "message": "Orange API is over capacity, retry later !",
  "description": "The service faces too much requests and can not handle the call."
}
504 List of supported error codes:
- 6: Gateway timeout		 
{
  "code": 6,
  "message": "Gateway timeout",
  "description": "No response was received in time from a backend server acting as gateway or proxy."
}