What should be returned when an endpoint is not implemented? #160
Replies: 12 comments 20 replies
-
The first step is to request for the access token, using a scope parameter which points to the targeted API. The access token is required to invoke the APIs.
|
Beta Was this translation helpful? Give feedback.
-
Hello @mhfoo Suppose a Number verification implementation has implemented the /verify but not the /device-phone-number. If an API consumer (not aware of this) wants to use this /device-phone-number, first a
Did i miss something there? |
Beta Was this translation helpful? Give feedback.
-
@AxelNennker @shilpa-padgaonkar Please have a look here. |
Beta Was this translation helpful? Give feedback.
-
I'm a bit confused, maybe I'm wrong, but 501 seems to me actually designed for this job. Or is it designed for something else? |
Beta Was this translation helpful? Give feedback.
-
Hi all, This situation should be avoided as far as possible. APIs should be completely implemented and, in case there are endpoints that are likely to not be implemented by all operators for a known reason, then the best option would probably to generate APIs with less scope and have those endpoints in independent APIs that could be implemented by whoever can/require it. Indeed, that is the approach that have been decided for the evolution of Device Status |
Beta Was this translation helpful? Give feedback.
-
Going back to the original problem which is that a particular endpoint / resource (URI) is not implemented by the server. The suggestion is to respond 501 Not implemented. This code is typically used to indicate functionality generally not supported, such as HTTP methods. For a URI endpoint that the server isn't able to resolve, wouldn't 404 Resource not found be more appropriate? |
Beta Was this translation helpful? Give feedback.
-
@bigludo7 this is true if the endpoint is actually not implemented but we can avoid this: look at camaraproject/EdgeCloud#218 (comment) |
Beta Was this translation helpful? Give feedback.
-
Behaviour regarding Access Token Scope requests is covered by RFC 6749.
Note this does not define behaviour if the scope is included but has an incorrect or unsupported value, but I believe the intent is the same: the scope is invalid because it is not supported. Hence:
So HTTP 400 with a response body indicating 'invalid_scope' appears to be the expected behaviour for the OAuth2 flow. If there is any request to an API endpoint URI that is not implemented, I agree with Uwe that
|
Beta Was this translation helpful? Give feedback.
-
Agree with the comment from @PedroDiez that this situation should be avoided as much as possible. And if this does happen, then agree with the comment from @bigludo7 where the auth server will handle it. |
Beta Was this translation helpful? Give feedback.
-
I interpret this sentence "what should be returned for the remaining endpoints?" as "we are past the authorization server" in this discussion. The client is using an access token to call endpoint E and the telco has not implemented it. I think a telco cannot and must not "choose" to implement only some endpoints. When it comes to implementing a Camara API it is all-or-nothing. |
Beta Was this translation helpful? Give feedback.
-
Quote from CAMARA_common.yaml
|
Beta Was this translation helpful? Give feedback.
-
I think the discussion reached a point where somebody should write a PR to https://github.com/camaraproject/Commonalities/blob/main/documentation/API-design-guidelines.md#3-api-definition If an API has k optional features then we would have 2^k yaml files, each for that feature being "on" or "off". Do we have a business demand for optional features? Products sim-swap and sim-swap-deluxe? If there is a demand, then we can technically implement this in the AZ and RS. The implementation of the AZ and RS seem straight forward. Actually, I think, there is not even some special handling needed for these cases. I think "501 not implemented" should be regarded as an internal error (valid access token but still the telco has not implemented the endpoint). The AZ should never create an access token that leads to a 501. Anyway, there should be some guideline in Commonalities regarding this. |
Beta Was this translation helpful? Give feedback.
-
For example, DeviceStatus has
/roaming
,/connectivity
, and/subscriptions
. If an operator only chooses to implement/roaming
, what should be returned for the remaining endpoints?The CAMARA_common.yaml has a
501 NotImplemented
example. I assume this should be used when an endpoint is not implemented - is anyone able to confirm?Beta Was this translation helpful? Give feedback.
All reactions