WO2021159891A1

WO2021159891A1 - Request, query and authorization processing method for call, devices, apparatus, and medium

Info

Publication number: WO2021159891A1
Application number: PCT/CN2021/070468
Authority: WO
Inventors: 毕晓宇; 张玲; 侯云静; 陶源
Original assignee: 大唐移动通信设备有限公司
Priority date: 2020-02-10
Filing date: 2021-01-06
Publication date: 2021-08-19
Also published as: CN113259930A

Abstract

Disclosed are a request, query and authorization processing method for a call, devices, an apparatus, and a medium. The method comprises: a user equipment determines user authorization configuration information according to app call information permitted or authorized by a user, and sends same to a network side device by means of an edge computing enablement server for a network exposure function to query permission or authorization for a call; when an edge computing application server acts as an application function to request a call to the network exposure function of a 3GPP network, the permission or authorization of the user equipment for the call is queried; and the network exposure function allows the call of the edge computing application server when it is determined that the user equipment has permitted or authorized the call.

Description

调用的请求、查询、授权处理方法、设备及装置、介质Call request, query, authorization processing method, equipment, device, and medium

相关申请的交叉引用Cross-references to related applications

本申请主张在2020年2月10日在中国提交的中国专利申请No.202010084031.5的优先权，其全部内容通过引用包含于此。This application claims the priority of Chinese Patent Application No. 202010084031.5 filed in China on February 10, 2020, the entire content of which is incorporated herein by reference.

技术领域Technical field

本公开涉及无线通信技术领域，特别涉及一种调用的请求、查询、授权处理方法、设备及装置、介质。The present disclosure relates to the field of wireless communication technology, and in particular to a method, equipment, device, and medium for calling request, query, and authorization processing.

背景技术Background technique

边缘计算是满足5G网络关键性能指标的重要技术，运营商可以通过MEC(多接入边缘计算，Multi-access Edge Computing)的部署为垂直行业提供计算能力与服务，将网络能力开放给第三方应用。同时垂直行业可以借助MEC将各种应用部署到运营商网络边缘，并调用网络开放的能力。Edge computing is an important technology that meets the key performance indicators of 5G networks. Operators can provide computing capabilities and services for vertical industries through the deployment of MEC (Multi-access Edge Computing), and open network capabilities to third-party applications . At the same time, vertical industries can deploy various applications to the edge of the operator's network with the help of MEC, and invoke the capabilities of network openness.

目前3GPP SA2开展Rel-16版本的标准研究，提出了边缘计算的网络架构。3GPP SA6在MEC方面的研究工作开展的比较多，提出了边缘计算应用架构。图1为SA2定义的带分流UPF(用户面功能实体，User Plane Function)的MEC的网络架构示意图，图2为SA2定义的不带分流UPF的MEC的网络架构示意图，其中，SA2定义的边缘计算的两个架构分别如图1、2所示，其中本地UPF(PSA(PDU会话锚点，PDU Session Anchor；PDU：协议数据单元，Protocol Data Unit)/BP(分支点，Branching Point))进行本地分流，远端UPF作为边缘计算业务的远端锚点，本地UPF(用户面功能，User Plane Function)与远端UPF访问同一个DN(数据网络，Data Network)。分流的策略由SMF(会话管理功能，Session Management Function)负责，SMF可根据运行状态、应用位置或者UE(用户设备，User Equipment)的位置制定分流策略。At present, 3GPP SA2 has carried out research on the Rel-16 version of the standard, and proposed a network architecture for edge computing. 3GPP SA6 has carried out a lot of research work on MEC, and proposed an edge computing application architecture. Figure 1 is a schematic diagram of the network architecture of the MEC with offloaded UPF (User Plane Function) defined by SA2, and Figure 2 is a schematic diagram of the network architecture of the MEC without offloaded UPF defined by SA2. Among them, the edge computing defined by SA2 The two architectures are shown in Figures 1 and 2, where the local UPF (PSA (PDU Session Anchor, PDU Session Anchor; PDU: Protocol Data Unit)/BP (Branching Point)) performs local Offloading, the remote UPF serves as the remote anchor point of the edge computing service, and the local UPF (User Plane Function) and the remote UPF access the same DN (Data Network). The offloading strategy is in charge of the SMF (Session Management Function), and the SMF can formulate offloading strategies based on the operating status, application location, or UE (User Equipment) location.

图3为边缘数据网络向UE提供服务的网络结构示意图，如图所示，目前边缘计算的应用层分成了三层结构，边缘计算应用服务器(Edge Application Server)、边缘计算使能服务器(Edge Enabler Server)、以及边缘计算网络配置服务器(Edge Data Network Configuration Server)。UE作为边缘计算应用客户端(Application Client)与边缘计算应用服务器之间进行应用请求，在请求之前UE需要从边缘计算使能服务器获得到边缘计算应用服务器的信息，以便与边缘应用服务器建立交互。边缘数据网络配置服务器用于将边缘应用服务器地址发送给UE的边缘使能客户端(Edge Enabler Client)。Figure 3 is a schematic diagram of the network structure of the edge data network providing services to the UE. As shown in the figure, the current application layer of edge computing is divided into a three-layer structure, the edge application server (Edge Application Server) and the edge computing enable server (Edge Enabler). Server), and Edge Computing Network Configuration Server (Edge Data Network Configuration Server). The UE acts as an edge computing application client (Application Client) to make an application request between the edge computing application server. Before the request, the UE needs to obtain information from the edge computing enabling server to the edge computing application server in order to establish interaction with the edge application server. The edge data network configuration server is used to send the edge application server address to the Edge Enabler Client of the UE.

边缘计算网络与3GPP网络之间通过边缘应用服务器以及边缘计算使能服务器与对应的网元进行交互。The edge computing network and the 3GPP network interact with corresponding network elements through edge application servers and edge computing enabling servers.

相关技术的不足在于：在现有的边缘计算过程中，会造成用户信息泄露。The disadvantage of the related technology is that in the existing edge computing process, user information will be leaked.

发明内容Summary of the invention

本公开实施例中提供了一种请求调用的处理方法，包括：The embodiment of the present disclosure provides a method for processing request invocation, including:

当边缘计算应用服务器作为AF向3GPP网络NEF请求调用时，查询UE对该调用的许可或者授权；When the edge computing application server as an AF requests a call to the 3GPP network NEF, it queries the UE's permission or authorization for the call;

在确定UE对该调用进行了许可或者授权时，向3GPP网络NEF请求调用。When it is determined that the UE has permitted or authorized the call, it requests the call to the 3GPP network NEF.

在一些可选的实施例中，当边缘计算应用服务器查询UE对该调用的许可或者授权时，是向应用层的用户配置信息服务器查询的；In some optional embodiments, when the edge computing application server queries the UE's permission or authorization for the call, it queries the user configuration information server at the application layer;

所述方法进一步包括：The method further includes:

在确定UE对该调用进行了许可或者授权向3GPP网络NEF请求调用时携带用户许可信息；或，Carry user permission information when determining that the UE is authorized for the call or authorized to request the call from the 3GPP network NEF; or,

在UDM和应用层的用户信息服务器共享UE对调用的许可或者授权信息时，在确定UE对该调用进行了许可或者授权向3GPP网络NEF请求调用时携带用户许可信息以及使用UDM和应用层的用户信息服务器共享的安全密钥计算得出的验证码。When the user information server in the UDM and the application layer shares the UE's permission or authorization information for the call, when it is determined that the UE is approved for the call or authorized to request the call from the 3GPP network NEF, the user permission information and the user who uses the UDM and the application layer are carried. The verification code calculated by the security key shared by the information server.

接收边缘计算应用服务器作为AF向3GPP网络NEF请求的调用，或，接收边缘计算应用服务器向3GPP网络NEF请求的携带用户许可信息的调用，或，接收边缘计算应用服务器向3GPP网络NEF请求的携带用户许可信息以及验证码的调用，其中，所述验证码是在UDM和应用层的用户信息服务器共享UE对调用的许可或者授权信息时，使用UDM和应用层的用户信息服务器共享的安全密钥计算得出的验证码；Receive the call requested by the edge computing application server from the 3GPP network NEF as the AF, or receive the call carrying user license information requested by the edge computing application server from the 3GPP network NEF, or receive the user carrying user requested by the edge computing application server from the 3GPP network NEF The call of permission information and verification code, where the verification code is calculated using the security key shared by the UDM and the user information server of the application layer when the UDM and the user information server of the application layer share the permission or authorization information of the UE for the call The obtained verification code;

NEF查询UE对该调用的许可或者授权；NEF queries the UE's permission or authorization for the call;

NEF在确定UE对该调用进行了许可或者授权时，允许边缘计算应用服务器的调用。NEF allows the edge computing application server to be called when it determines that the UE has approved or authorized the call.

在一些可选的实施例中，当接收边缘计算应用服务器作为AF向3GPP网络NEF请求的调用时，NEF向UDM或UDR查询UE对该调用的许可或者授权；或，In some optional embodiments, when receiving the call requested by the edge computing application server from the 3GPP network NEF as the AF, the NEF queries the UDM or UDR for the UE's permission or authorization for the call; or,

当接收边缘计算应用服务器向3GPP网络NEF请求的携带用户许可信息的调用时，NEF向UDM查询UE对该调用的许可或者授权；或，When receiving a call with user permission information requested by the edge computing application server from the 3GPP network NEF, NEF queries UDM for the UE's permission or authorization for the call; or,

接收边缘计算应用服务器向3GPP网络NEF请求的携带用户许可信息以及验证码的调用，NEF在本地数据库根据用户授权配置查询UE对该调用的许可或者授权，或向UDM查询UE对该调用的许可或者授权。Receiving the call with user permission information and verification code requested by the edge computing application server from the 3GPP network NEF, NEF queries the local database for the UE’s permission or authorization for the call according to the user’s authorization configuration, or queries the UDM for the UE’s permission for the call or Authorization.

本公开实施例中提供了一种查询调用的方法，包括：The embodiment of the present disclosure provides a query and call method, including:

UDM或UDR接收NEF对调用的查询，所述查询是查询该调用是否是UE许可或者授权的调用；The UDM or UDR receives NEF's query on the call, and the query is to query whether the call is a call permitted or authorized by the UE;

UDM或UDR根据用户授权配置确定该调用是否是UE许可或者授权的调用，并将确定结果反馈NEF。The UDM or UDR determines whether the call is a call authorized or authorized by the UE according to the user authorization configuration, and feeds the determination result back to the NEF.

在一些可选的实施例中，所述用户授权配置是预配置的或者是根据边缘计算使能服务器发送的用户授权配置信息配置的。In some optional embodiments, the user authorization configuration is pre-configured or configured according to user authorization configuration information sent by the edge computing enabling server.

本公开实施例中提供了一种调用授权方法，包括：The embodiment of the present disclosure provides a method for invoking authorization, which includes:

UE确定用户许可或者授权的APP调用；The UE determines the APP call permitted or authorized by the user;

UE根据用户许可或者授权的APP调用信息确定用户授权配置信息；The UE determines the user authorization configuration information according to the APP call information permitted or authorized by the user;

UE将所述用户授权配置信息发送至边缘计算使能服务器。The UE sends the user authorization configuration information to the edge computing enabling server.

在一些可选的实施例中，所述方法进一步包括：In some optional embodiments, the method further includes:

UE保存所述用户授权配置信息。The UE saves the user authorization configuration information.

根据边缘计算使能服务器指示更新所述用户授权配置信息。The user authorization configuration information is updated according to the instruction of the edge computing enabling server.

在一些可选的实施例中，用户许可或者授权APP调用是基于应用为粒度或者基于调用事件为粒度进行许可或者授权的。In some optional embodiments, the user's permission or authorization for APP invocation is based on the granularity of the application or the granularity of the invocation event.

本公开实施例中提供了一种调用授权的处理方法，包括：The embodiment of the present disclosure provides a processing method for invoking authorization, which includes:

边缘计算使能服务器接收UE发送的用户授权配置信息，所述用户授权配置信息中包含了用户许可或者授权的APP调用信息；The edge computing enabling server receives the user authorization configuration information sent by the UE, where the user authorization configuration information contains APP invocation information permitted or authorized by the user;

边缘计算使能服务器将所述用户授权配置信息发送至网络侧设备，用以供NEF查询调用的许可或者授权。The edge computing enabling server sends the user authorization configuration information to the network side device for the NEF to query and call the license or authorization.

在一些可选的实施例中，网络侧设备是以下设备之一或者其组合：UDM、UDR、应用层的用户信息服务器、NEF。In some optional embodiments, the network side device is one or a combination of the following devices: UDM, UDR, user information server at the application layer, NEF.

根据用户在请求边缘计算应用过程中的指示，边缘计算使能服务器指示UE更新UE上的所述用户授权配置信息。According to the user's instruction in the process of requesting the edge computing application, the edge computing enabling server instructs the UE to update the user authorization configuration information on the UE.

网络侧设备接收边缘计算使能服务器发送的用户授权配置信息，所述用户授权配置信息中包含了用户许可或者授权的APP调用信息；The network-side device receives the user authorization configuration information sent by the edge computing enabling server, where the user authorization configuration information includes the APP invocation information permitted or authorized by the user;

网络侧设备接收NEF发送的对调用的查询，所述查询是查询该调用是否是UE许可或者授权的调用；The network side device receives the query for the call sent by the NEF, where the query is to query whether the call is a call permitted or authorized by the UE;

网络侧设备根据所述用户授权配置确定该调用是否是UE许可或者授权的调用。The network side device determines whether the call is a call approved or authorized by the UE according to the user authorization configuration.

本公开实施例中提供了一种边缘计算应用服务器，包括：An embodiment of the present disclosure provides an edge computing application server, including:

处理器，用于读取存储器中的程序，执行下列过程：The processor is used to read the program in the memory and execute the following process:

在确定UE对该调用进行了许可或者授权时，向3GPP网络NEF请求调用；When it is determined that the UE has permitted or authorized the call, it requests the call to the 3GPP network NEF;

收发机，用于在处理器的控制下接收和发送数据。Transceiver, used to receive and send data under the control of the processor.

所述处理器进一步用于：The processor is further used for:

本公开实施例中提供了一种请求调用的处理装置，包括：An embodiment of the present disclosure provides a processing device for request invocation, including:

第一查询模块，用于当边缘计算应用服务器作为AF向3GPP网络NEF请求调用时，查询UE对该调用的许可或者授权；The first query module is used to query the UE's permission or authorization for the call when the edge computing application server as an AF requests a call to the 3GPP network NEF;

请求模块，用于在确定UE对该调用进行了许可或者授权时，向3GPP网络NEF请求调用。The request module is used to request the call from the 3GPP network NEF when it is determined that the UE has permitted or authorized the call.

本公开实施例中提供了一种NEF，包括：An NEF is provided in the embodiments of the present disclosure, including:

查询UE对该调用的许可或者授权；Query the UE's permission or authorization for the call;

在确定UE对该调用进行了许可或者授权时，允许边缘计算应用服务器的调用；When it is determined that the UE has approved or authorized the call, the call to the edge computing application server is allowed;

在一些可选的实施例中，当接收边缘计算应用服务器作为AF向3GPP网络NEF请求的调用时，向UDM或UDR查询UE对该调用的许可或者授权；或，In some optional embodiments, when receiving the call requested by the edge computing application server from the 3GPP network NEF as the AF, query the UDM or UDR for the UE's permission or authorization for the call; or,

当接收边缘计算应用服务器向3GPP网络NEF请求的携带用户许可信息的调用时，向UDM查询UE对该调用的许可或者授权；或，When receiving a call with user permission information requested by the edge computing application server from the 3GPP network NEF, query the UDM for the UE's permission or authorization for the call; or,

接收边缘计算应用服务器向3GPP网络NEF请求的携带用户许可信息以及验证码的调用，在本地数据库根据用户授权配置查询UE对该调用的许可或者授权，或向UDM查询UE对该调用的许可或者授权。Receive the call with user permission information and verification code requested by the edge computing application server from the 3GPP network NEF, and query the UE's permission or authorization for the call in the local database according to the user authorization configuration, or query the UDM for the UE's permission or authorization for the call .

第一接收模块，用于接收边缘计算应用服务器作为AF向3GPP网络NEF请求的调用，或，接收边缘计算应用服务器向3GPP网络NEF请求的携带用户许可信息的调用，或，接收边缘计算应用服务器向3GPP网络NEF请求的携带用户许可信息以及验证码的调用，其中，所述验证码是在UDM和应用层的用户信息服务器共享UE对调用的许可或者授权信息时，使用UDM和应用层的用户信息服务器共享的安全密钥计算得出的验证码；The first receiving module is used to receive the call requested by the edge computing application server from the 3GPP network NEF as the AF, or receive the call carrying user permission information requested by the edge computing application server from the 3GPP network NEF, or receive the call from the edge computing application server to the 3GPP network NEF. 3GPP network NEF requests to carry user permission information and verification code calls, where the verification code is to use UDM and application layer user information when UDM and application layer user information server share UE’s permission or authorization information for the call The verification code calculated from the security key shared by the server;

第二查询模块，用于查询UE对该调用的许可或者授权；The second query module is used to query the UE's permission or authorization for the call;

调用模块，用于在确定UE对该调用进行了许可或者授权时，允许边缘计算应用服务器的调用。The calling module is used to allow the edge computing application server to be called when it is determined that the UE has approved or authorized the calling.

本公开实施例中提供了一种通信设备，位于UDM或UDR，包括：An embodiment of the present disclosure provides a communication device located in UDM or UDR, including:

UDM或UDR根据用户授权配置确定该调用是否是UE许可或者授权的调用，并将确定结果反馈NEF；UDM or UDR determines whether the call is authorized or authorized by the UE according to the user authorization configuration, and feeds the determination result back to NEF;

第二接收模块，用于接收NEF对调用的查询，所述查询是查询该调用是否是UE许可或者授权的调用；The second receiving module is configured to receive a query from NEF to a call, and the query is to query whether the call is a call permitted or authorized by the UE;

授权确认模块，用于根据用户授权配置确定该调用是否是UE许可或者授权的调用，并将确定结果反馈NEF。The authorization confirmation module is used to determine whether the call is a call authorized or authorized by the UE according to the user authorization configuration, and feed the determination result back to the NEF.

本公开实施例中提供了一种终端设备，包括：An embodiment of the present disclosure provides a terminal device, including:

确定用户许可或者授权的APP调用；Confirm the APP call permitted or authorized by the user;

根据用户许可或者授权的APP调用信息确定用户授权配置信息；Determine the user authorization configuration information according to the user's permission or authorized APP call information;

将所述用户授权配置信息发送至边缘计算使能服务器；Sending the user authorization configuration information to the edge computing enabling server;

在一些可选的实施例中，所述处理器进一步用于：In some optional embodiments, the processor is further configured to:

保存所述用户授权配置信息。Save the user authorization configuration information.

在一些可选的实施例中，用户许可或者授权APP调用是基于应用为粒度或者基于调用事件为粒度进行许可或者授权的。In some optional embodiments, the user permits or authorizes APP invocation based on the granularity of the application or the granularity of the invocation event.

本公开实施例中提供了一种调用授权装置，包括：An embodiment of the present disclosure provides a calling authorization device, including:

第一确定模块，用于确定用户许可或者授权的APP调用；The first determining module is used to determine the APP call permitted or authorized by the user;

配置模块，用于根据用户许可或者授权的APP调用信息确定用户授权配置信息；The configuration module is used to determine the user authorization configuration information according to the APP call information permitted or authorized by the user;

第一发送模块，用于将所述用户授权配置信息发送至边缘计算使能服务器。The first sending module is configured to send the user authorization configuration information to the edge computing enabling server.

本公开实施例中提供了一种边缘计算使能服务器，包括：The embodiment of the present disclosure provides an edge computing enabling server, including:

接收UE发送的用户授权配置信息，所述用户授权配置信息中包含了用户许可或者授权的APP调用信息；Receiving user authorization configuration information sent by the UE, where the user authorization configuration information contains APP invocation information permitted or authorized by the user;

将所述用户授权配置信息发送至网络侧设备，用以供NEF查询调用的许可或者授权；Sending the user authorization configuration information to the network side device for NEF to query and call the license or authorization;

根据用户在请求边缘计算应用过程中的指示，指示UE更新UE上的所述用户授权配置信息。According to the user's instruction in the process of requesting the edge computing application, instruct the UE to update the user authorization configuration information on the UE.

本公开实施例中提供了一种调用授权的处理装置，包括：An embodiment of the present disclosure provides a processing device for invoking authorization, including:

第三接收模块，用于接收UE发送的用户授权配置信息，所述用户授权配置信息中包含了用户许可或者授权的APP调用信息；The third receiving module is configured to receive user authorization configuration information sent by the UE, where the user authorization configuration information contains APP invocation information permitted or authorized by the user;

第二发送模块，用于将所述用户授权配置信息发送至网络侧设备，用以供NEF查询调用的许可或者授权。The second sending module is used to send the user authorization configuration information to the network side device for NEF to query and call the permission or authorization.

本公开实施例中提供了一种通信设备，位于以下设备UDM、UDR、应用层的用户信息服务器或NEF，包括：The embodiments of the present disclosure provide a communication device, which is located in the following devices UDM, UDR, user information server or NEF at the application layer, including:

接收边缘计算使能服务器发送的用户授权配置信息，所述用户授权配置信息中包含了用户许可或者授权的APP调用信息；Receiving user authorization configuration information sent by the edge computing enabling server, where the user authorization configuration information contains APP invocation information permitted or authorized by the user;

接收NEF发送的对调用的查询，所述查询是查询该调用是否是UE许可或者授权的调用；Receive a query for a call sent by NEF, where the query is to query whether the call is a call permitted or authorized by the UE;

根据所述用户授权配置确定该调用是否是UE许可或者授权的调用；Determining whether the call is a call authorized or authorized by the UE according to the user authorization configuration;

第四接收模块，用于接收边缘计算使能服务器发送的用户授权配置信息，所述用户授权配置信息中包含了用户许可或者授权的APP调用信息；The fourth receiving module is configured to receive user authorization configuration information sent by the edge computing enabling server, where the user authorization configuration information includes APP invocation information permitted or authorized by the user;

第五接收模块，用于接收NEF发送的对调用的查询，所述查询是查询该调用是否是UE许可或者授权的调用；The fifth receiving module is configured to receive a query for a call sent by NEF, where the query is to query whether the call is a call permitted or authorized by the UE;

第二确定模块，用于根据所述用户授权配置确定该调用是否是UE许可或者授权的调用。The second determining module is configured to determine whether the call is a call permitted or authorized by the UE according to the user authorization configuration.

本公开实施例中提供了一种计算机可读存储介质，其中，所述计算机可读存储介质存储有执行上述方法的程序。An embodiment of the present disclosure provides a computer-readable storage medium, wherein the computer-readable storage medium stores a program for executing the above method.

本公开有益效果如下：The beneficial effects of the present disclosure are as follows:

在本公开实施例提供的技术方案中，UE根据用户许可或者授权的APP调用信息确定用户授权配置信息，并将其发送至边缘计算使能服务器；In the technical solution provided by the embodiment of the present disclosure, the UE determines the user authorization configuration information according to the APP call information permitted or authorized by the user, and sends it to the edge computing enabling server;

边缘计算使能服务器接收UE发送的用户授权配置信息后发送至网络侧设备，用以供NEF查询调用的许可或者授权；网络侧设备可以是UDM、UDR、应用层的用户信息服务器、NEF等。The edge computing enabling server receives the user authorization configuration information sent by the UE and sends it to the network side device for NEF to query and call the license or authorization; the network side device can be UDM, UDR, application layer user information server, NEF, etc.

而当边缘计算应用服务器作为AF向3GPP网络NEF请求调用时，查询UE对该调用的许可或者授权；在确定UE对该调用进行了许可或者授权时，向3GPP网络NEF请求调用；When the edge computing application server as an AF requests a call to the 3GPP network NEF, it queries the UE for permission or authorization for the call; when it is determined that the UE has permission or authorization for the call, it requests the call to the 3GPP network NEF;

一方面，在边缘计算应用服务器进行调用时，会查询该调用是否是被许可或者授权的；另一方面，由于UDM、UDR、应用层的用户信息服务器、NEF等上已经知晓用户对应用调用的许可或者授权，因此能够对调用的查询进行确认，因此，能够通过验证用户对边缘计算应用调用网络能力的授权或许可查询，避免在边缘计算应用调用网络能力时对用户信息的泄漏。On the one hand, when the edge computing application server makes a call, it will query whether the call is permitted or authorized; on the other hand, because UDM, UDR, the user information server at the application layer, NEF, etc. already know the user’s call to the application The permission or authorization can confirm the called query. Therefore, it can verify the user's authorization or permission query for the edge computing application to call the network capability, so as to avoid the leakage of user information when the edge computing application calls the network capability.

附图说明Description of the drawings

此处所说明的附图用来提供对本公开的进一步理解，构成本公开的一部分，本公开的示意性实施例及其说明用于解释本公开，并不构成对本公开的不当限定。在附图中：The drawings described here are used to provide a further understanding of the present disclosure and constitute a part of the present disclosure. The exemplary embodiments and descriptions of the present disclosure are used to explain the present disclosure, and do not constitute an improper limitation of the present disclosure. In the attached picture:

图1为背景技术中SA2定义的带分流UPF的MEC的网络架构示意图；FIG. 1 is a schematic diagram of the network architecture of the MEC with offloaded UPF defined by SA2 in the background art;

图2为背景技术中SA2定义的不带分流UPF的MEC的网络架构示意图；FIG. 2 is a schematic diagram of the network architecture of the MEC without the offloaded UPF defined by SA2 in the background art;

图3为背景技术中边缘数据网络向UE提供服务的网络结构示意图；FIG. 3 is a schematic diagram of a network structure in which an edge data network provides services to UEs in the background art;

图4为本公开实施例中授权处理阶段与调用处理阶段关系示意图；4 is a schematic diagram of the relationship between the authorization processing stage and the call processing stage in the embodiments of the disclosure;

图5为本公开实施例中UE侧的调用授权方法实施流程示意图；FIG. 5 is a schematic diagram of the implementation process of the method for invoking authorization on the UE side in an embodiment of the disclosure;

图6为本公开实施例中边缘计算使能服务器侧调用授权的处理方法实施流程示意图；6 is a schematic diagram of an implementation process of a processing method for invoking authorization on the edge computing enable server side in an embodiment of the disclosure;

图7为本公开实施例中网络侧设备上调用授权的处理方法实施流程示意图；FIG. 7 is a schematic diagram of an implementation process of a processing method for invoking authorization on a network side device in an embodiment of the disclosure;

图8为本公开实施例一的授权处理实施流程示意图；FIG. 8 is a schematic diagram of an implementation flow of authorization processing in Embodiment 1 of the present disclosure;

图9为本公开实施例二的授权处理实施流程示意图；FIG. 9 is a schematic diagram of an implementation flow of authorization processing in Embodiment 2 of the disclosure;

图10为本公开边缘计算应用服务器侧请求调用的处理方法实施流程示意图；FIG. 10 is a schematic diagram of the implementation process of the processing method for request invocation on the side of the edge computing application server of the present disclosure;

图11为本公开NEF侧的请求调用的处理方法实施流程示意图；FIG. 11 is a schematic diagram of the implementation flow of the processing method for request invocation on the NEF side of the present disclosure;

图12为本公开UDM侧的查询调用的方法实施流程示意图；FIG. 12 is a schematic diagram of the implementation process of the query and invocation method on the UDM side of the present disclosure;

图13为本公开实施例三中调用处理实施流程示意图；FIG. 13 is a schematic diagram of the implementation flow of the call processing in the third embodiment of the disclosure;

图14为本公开实施例四中调用处理实施流程示意图；FIG. 14 is a schematic diagram of the implementation flow of calling processing in the fourth embodiment of the disclosure;

图15为本公开实施例五中调用处理实施流程示意图；15 is a schematic diagram of the implementation flow of calling processing in Embodiment 5 of the present disclosure;

图16为本公开实施例六中调用处理实施流程示意图；FIG. 16 is a schematic diagram of the implementation flow of the call processing in the sixth embodiment of the disclosure;

图17为本公开实施例中边缘计算应用服务器结构1示意图；FIG. 17 is a schematic diagram of structure 1 of an edge computing application server in an embodiment of the disclosure;

图18为本公开实施例中NEF结构示意图；FIG. 18 is a schematic diagram of the NEF structure in an embodiment of the disclosure;

图19为本公开实施例中通信设备结构1示意图；FIG. 19 is a schematic diagram of structure 1 of a communication device in an embodiment of the disclosure;

图20为本公开实施例中UE结构示意图；FIG. 20 is a schematic diagram of a UE structure in an embodiment of the disclosure;

图21为本公开实施例中边缘计算使能服务器结构2示意图；FIG. 21 is a schematic diagram of structure 2 of an edge computing enabled server in an embodiment of the disclosure;

图22为本公开实施例中通信设备结构2示意图。FIG. 22 is a schematic diagram of structure 2 of a communication device in an embodiment of the disclosure.

具体实施方式Detailed ways

发明人在发明过程中注意到：The inventor noticed during the invention process:

在边缘计算服务中，需要将网络功能开放给边缘应用服务器，在此过程中可能会涉及到某些敏感信息，尤其是一些用户的敏感信息(如，位置信息)。因此，UE需要知道网络会将哪些网络能力开放给哪些边缘计算应用，以及用户是否允许这些边缘计算应用调用网络能力获取用户的信息。In the edge computing service, the network function needs to be opened to the edge application server, and some sensitive information may be involved in this process, especially the sensitive information of some users (such as location information). Therefore, the UE needs to know which network capabilities the network will open to which edge computing applications, and whether the user allows these edge computing applications to call the network capabilities to obtain user information.

而在相关技术中，缺少UE对边缘计算应用服务器对网络能力开放调用的允许或者授权的方案，这将可能导致边缘计算应用服务器在用户未授权的情况下甚至获取用户的隐私信息，造成用户信息泄露。However, in related technologies, there is a lack of a solution for UE to allow or authorize the open call of the edge computing application server's network capabilities, which may cause the edge computing application server to even obtain the user's private information without the user's authorization, resulting in user information Give way.

基于此，本公开实施例中提供了边缘计算应用服务器向NEF请求调用过程中的处理方案，用以解决用户如何同意或者授权边缘计算服务调用网络开放API，访问用户的信息，特别是隐私信息。Based on this, the embodiment of the present disclosure provides a processing solution in the process of the edge computing application server requesting the NEF call to solve how the user agrees or authorizes the edge computing service to call the open network API to access the user's information, especially the private information.

下面结合附图对本公开的具体实施方式进行说明。The specific embodiments of the present disclosure will be described below with reference to the accompanying drawings.

在说明过程中，将分别从UE、边缘计算应用服务器、UDM、UDR、应用层的用户信息服务器、NEF等侧的实施进行说明，然后还将给出它们配合实施的实例以更好地理解本公开实施例中给出的方案的实施。这样的说明方式并不意味着它们必须配合实施、或者必须单独实施，实际上，当它们分开实施时，其也各自解决自身一侧的问题，而它们结合使用时，会获得更好的技术效果。In the description process, the implementation of the UE, edge computing application server, UDM, UDR, user information server of the application layer, NEF, etc. will be explained respectively, and then examples of their implementation will be given to better understand this The implementation of the scheme given in the examples is disclosed. This way of explanation does not mean that they must be implemented in conjunction or implemented separately. In fact, when they are implemented separately, they also solve their own problems, and when they are used in combination, better technical effects will be obtained. .

在说明过程中，将按其实施的阶段分为两个部分进行说明，一个部分在实施例中称为授权处理阶段，一个部分在实施例中称为调用处理阶段。显然，两部分既是独立的也是相互联系的，通过授权处理阶段得以确定用户允许的应用授权，通过调用处理阶段使应用能够按照用户授权进行调用，达到保护用户信息的目的。In the description process, the implementation stage is divided into two parts for description, one part is called the authorization processing stage in the embodiment, and the other part is called the call processing stage in the embodiment. Obviously, the two parts are both independent and interrelated. The application authorization allowed by the user can be determined through the authorization processing stage, and the application can be invoked according to the user's authorization through the invocation processing stage to achieve the purpose of protecting user information.

具体的，在用户授权边缘计算应用服务器对网络能力调用的方案中，用户对某种服务的使用网络能力的权限信息在应用层以及核心网同步，对于用户的该应用属性的配置更新也在应用层和核心网同步更改；当边缘计算应用服务调用网络能力时，NEF(网络开放功能，Network Exposure Function)会将收到的AS(接入层，Access Stratum)发送的用户配置授权与核心网保存的匹配。Specifically, in the solution in which the user authorizes the edge computing application server to call the network capability, the user's permission information for using the network capability of a certain service is synchronized at the application layer and the core network, and the configuration update of the user's application attribute is also applied The layer and core network are changed synchronously; when the edge computing application service calls the network capability, NEF (Network Exposure Function) will save the user configuration authorization sent by the received AS (Access Stratum) with the core network Match.

图4为授权处理阶段与调用处理阶段关系示意图，如图所示，包括：Figure 4 is a schematic diagram of the relationship between the authorization processing stage and the call processing stage, as shown in the figure, including:

授权处理阶段：步骤401、用户对APP调用网络能力的许可配置；Authorization processing stage: step 401, the user's permission configuration for the APP to call the network capability;

调用处理阶段：步骤402、对用户APP调用网络能力的授权验证。Invoke processing stage: Step 402, authorization verification of the user APP invoking the network capability.

具体在一些可选的实施例中，首先用户对于应用配置的更新可以通过边缘计算使能服务器向应用层的数据库(UE的信息服务器)上传。即应用层和核心网根据UE的授权配置识别UE对API调用的许可。授权配置定义了哪些API调用网络能力是允许或者不允许的。当边缘计算应用服务器(或者使能服务器)请求调用网络能力的是否需要根据查询的用户对该边缘计算应用服务的授权或者许可决定是否允许调用。Specifically, in some optional embodiments, first, the user's update of the application configuration can be uploaded to the database of the application layer (the information server of the UE) through the edge computing enable server. That is, the application layer and the core network recognize the UE's permission to call the API according to the authorization configuration of the UE. Authorization configuration defines which API calls are allowed or not allowed to call network capabilities. When the edge computing application server (or enabling server) requests to call the network capability, it is necessary to determine whether to allow the call based on the authorization or permission of the inquired user for the edge computing application service.

一、授权处理阶段。1. Authorization processing stage.

图5为UE侧的调用授权方法实施流程示意图，如图所示，可以包括：Figure 5 is a schematic diagram of the implementation process of the UE side invoking the authorization method. As shown in the figure, it can include:

步骤501、UE确定用户许可或者授权的APP调用；Step 501: The UE determines the APP call permitted or authorized by the user;

步骤502、UE根据用户许可或者授权的APP调用信息确定用户授权配置信息；Step 502: The UE determines user authorization configuration information according to the APP call information permitted or authorized by the user;

步骤503、UE将所述用户授权配置信息发送至边缘计算使能服务器。Step 503: The UE sends the user authorization configuration information to the edge computing enabling server.

在一些可选的实施例中，所述方法还可以进一步包括：In some optional embodiments, the method may further include:

图6为边缘计算使能服务器侧调用授权的处理方法实施流程示意图，如图所示，可以包括：Figure 6 is a schematic diagram of the implementation process of the processing method of invoking authorization on the edge computing enable server side. As shown in the figure, it can include:

步骤601、边缘计算使能服务器接收UE发送的用户授权配置信息，所述用户授权配置信息中包含了用户许可或者授权的APP调用信息；Step 601: The edge computing enabling server receives user authorization configuration information sent by the UE, where the user authorization configuration information includes APP invocation information permitted or authorized by the user;

步骤602、边缘计算使能服务器将所述用户授权配置信息发送至网络侧设备，用以供NEF查询调用的许可或者授权。Step 602: The edge computing enabling server sends the user authorization configuration information to the network side device for the NEF to query and call the license or authorization.

在一些可选的实施例中，网络侧设备可以是以下设备之一或者其组合：UDM(统一数据管理实体，Unified Data Management)、UDR(统一数据存储库，Unified Data Repository)、应用层的用户信息服务器、NEF。In some optional embodiments, the network-side device may be one of the following devices or a combination of them: UDM (Unified Data Management), UDR (Unified Data Repository), application layer users Information server, NEF.

图7为网络侧设备上调用授权的处理方法实施流程示意图，如图所示，可以包括：Figure 7 is a schematic diagram of the implementation process of the processing method for invoking authorization on the network side device, as shown in the figure, which may include:

步骤701、网络侧设备接收边缘计算使能服务器发送的用户授权配置信息，所述用户授权配置信息中包含了用户许可或者授权的APP调用信息；Step 701: The network side device receives user authorization configuration information sent by the edge computing enablement server, where the user authorization configuration information includes APP invocation information permitted or authorized by the user;

步骤702、网络侧设备接收NEF发送的对调用的查询，所述查询是查询该调用是否是UE许可或者授权的调用；Step 702: The network side device receives the query for the call sent by the NEF, where the query is to query whether the call is a call permitted or authorized by the UE;

步骤703、网络侧设备根据所述用户授权配置确定该调用是否是UE许可或者授权的调用。Step 703: The network side device determines whether the call is a call permitted or authorized by the UE according to the user authorization configuration.

在一些可选的实施例中，网络侧设备可以是以下设备之一或者其组合：UDM、UDR、应用层的用户信息服务器、NEF。In some optional embodiments, the network-side device may be one or a combination of the following devices: UDM, UDR, user information server at the application layer, NEF.

具体的，在基于APP的授权和许可配置过程中，用户对于APP授权的许可可以在核心网网元UDM中预配置，或者在应用层的负责用户签约信息管理的服务器中预配置。同时，用户的许可信息在终端侧也可保存。Specifically, in the process of APP-based authorization and authorization configuration, the user's authorization for APP authorization can be pre-configured in the core network element UDM, or pre-configured in the server responsible for user subscription information management at the application layer. At the same time, the user's license information can also be stored on the terminal side.

调用许可配置可以基于应用为粒度或者基于调用事件为粒度。当基于应用为粒度时，则配置信息中包含的是APP ID(应用标识)信息，该APP可以调用核心网能力开放所支持的所有能力；如果是基于调用事件为粒度，则配置信息中包含的是event ID(事件标识)信息，只支持该APP对某一项event的能力调用。也即，上述在一些可选的实施例中，用户许可或者授权APP调用是基于应用为粒度或者基于调用事件为粒度进行许可或者授权的。The invocation permission configuration can be based on the application as the granularity or based on the invocation event as the granularity. When the granularity is based on the application, the configuration information contains the APP ID (application identification) information, and the APP can call all the capabilities supported by the core network capability opening; if the granularity is based on the call event, the configuration information contains It is event ID (event identification) information, which only supports the ability of the APP to call a certain event. That is, in some optional embodiments described above, the user's permission or authorization for APP invocation is based on the granularity of the application or the granularity of the invocation event.

用户可在请求边缘计算应用的过程中通过边缘计算使能服务器向UE配置信息更新UE对该APP是否授权调用网络能力标识。In the process of requesting the edge computing application, the user can update the UE configuration information through the edge computing enablement server to update the UE whether the APP is authorized to call the network capability identifier for the APP.

下面以实例来进行说明。The following is an example to illustrate.

实施例一：Example one:

本例中，对使能服务器请求进行处理的是UDM或UDR。In this example, the request to enable the server is processed by UDM or UDR.

图8为实施例一的授权处理实施流程示意图，如图所示，可以包括：FIG. 8 is a schematic diagram of the authorization processing implementation flow of Embodiment 1. As shown in the figure, it may include:

步骤801、请求边缘计算应用服务器信息中携带是否允许该APP调用网络能力的信息。Step 801: Request the edge computing application server information to carry information about whether the APP is allowed to call network capabilities.

用户请求边缘计算服务器信息，其中请求中携带是否允许该用户调用网络的能力信息。The user requests the edge computing server information, and the request carries the capability information whether the user is allowed to call the network.

步骤802、更新请求(查询UE对每个APP的许可状态，若不一致则更新设置)。Step 802: Update request (query the UE's permission status for each APP, and update the settings if they are inconsistent).

边缘计算应用服务器与3GPP网元交互，请求查询并更新用户对于某个APP的能力调用许可。图中用以示意的网元是UDM或UDR。The edge computing application server interacts with the 3GPP network element to request to query and update the user's ability to call permission for a certain APP. The network element used for illustration in the figure is UDM or UDR.

步骤803、UE隐私许可标志位为1，则允许调用。否则为0，该UE隐私许可标识位信息与UE标识、APP标识绑定。Step 803: The UE privacy permission flag is 1, and the call is allowed. Otherwise, it is 0, and the UE privacy permission flag information is bound to the UE identity and the APP identity.

3GPP网络实体验证请求消息，验证通过后根据用户的ID、APP标识/APP事件ID更新许可标识。The 3GPP network entity verifies the request message. After the verification is passed, the permission identifier is updated according to the user ID, APP identifier/APP event ID.

步骤804、更新响应，通知已按照用户意愿更新。Step 804: Update the response, notifying that it has been updated according to the user's wishes.

3GPP网络实体返回更新响应信息。The 3GPP network entity returns update response information.

步骤805、APP信息以及APP调用网络能力更新告知标识。Step 805: APP information and the APP call network capability update notification identifier.

使能服务器在响应APP信息的同时告知用户更新许可标识。The enabling server notifies the user to update the license identifier while responding to the APP information.

实施例二：Embodiment two:

本例中，对使能服务器请求进行处理的是应用层的用户配置服务器。In this example, it is the user configuration server at the application layer that processes the request to enable the server.

图9为实施例二的授权处理实施流程示意图，如图所示，可以包括：Fig. 9 is a schematic diagram of the authorization processing implementation flow of the second embodiment. As shown in the figure, it may include:

步骤901、请求边缘计算应用服务器信息中携带是否允许该APP调用网络能力的信息。Step 901: Request the edge computing application server information to carry information about whether the APP is allowed to call network capabilities.

步骤902、更新请求(查询UE对每个APP的许可状态，若不一致则更新设置)。Step 902: Update request (query the UE's permission status for each APP, and update the settings if they are inconsistent).

边缘计算应用服务器与应用层的用户配置服务器交互，请求查询并更新用户对于某个APP的能力调用许可。The edge computing application server interacts with the user configuration server at the application layer, requesting to query and update the user's ability to call permission for a certain APP.

步骤903、UE隐私许可标志位为1，则允许调用。否则为0，该UE隐私许可标识位信息与UE标识、APP标识绑定。Step 903: The UE privacy permission flag is 1, and the call is allowed. Otherwise, it is 0, and the UE privacy permission flag information is bound to the UE ID and APP ID.

应用层的用户配置服务器体验证请求消息，验证通过后根据用户的ID、APP标识更新许可标识。图中用以示意的网元是应用层的用户配置服务器(UE profile server in Application layer)。The user at the application layer configures the server body verification request message, and after the verification is passed, the license identification is updated according to the user's ID and APP identification. The network element used for illustration in the figure is the user profile server in the application layer (UE profile server in Application layer).

步骤904、更新响应，通知已按照用户意愿更新。Step 904: Update the response, notifying that it has been updated according to the user's wishes.

应用层的用户配置服务器返回更新响应信息。The user configuration server of the application layer returns the update response information.

步骤905、APP信息以及APP调用网络能力更新告知标识。Step 905: APP information and APP call network capability update notification identifier.

在本实施例中的用户信息服务器实际上是核心网UDM的代理实体，保存边缘计算节点的配置信息。该代理实体中的数据为核心网UDM的镜像，当用户初始附着在网络时，核心网通过用户的位置分配提供给用户的边缘计算网络服务，同时会将该用户的签约信息以及应用配置信息备份到该镜像服务器。In this embodiment, the user information server is actually a proxy entity of the core network UDM, which stores configuration information of edge computing nodes. The data in the proxy entity is the mirror image of the core network UDM. When the user initially attaches to the network, the core network allocates the user's location to provide the user's edge computing network services, and at the same time backs up the user's subscription information and application configuration information To the mirror server.

当用户位置移动到边缘计算网络外，该服务器可以将该用户的签约配置信息删除。即通过在应用层的配置实现用户对该应用网络能力开放授权的快速查询。When the user's location moves outside the edge computing network, the server can delete the user's subscription configuration information. That is, through the configuration at the application layer, users can quickly query the application network capability opening authorization.

实施例一与实施例二可以是独立或者关联的，当核心网与应用层完全互信时，可以独立使用，否则需要同时由enabler服务器将UE的配置信息在应用层和UDM中同步。The first embodiment and the second embodiment can be independent or related. When the core network and the application layer fully trust each other, they can be used independently, otherwise the enabler server needs to synchronize the UE configuration information in the application layer and UDM at the same time.

二、调用处理阶段。2. Call processing stage.

图10为边缘计算应用服务器侧请求调用的处理方法实施流程示意图，如图所示，可以包括：FIG. 10 is a schematic diagram of the implementation process of the processing method of request invocation on the edge computing application server side. As shown in the figure, it may include:

步骤1001、当边缘计算应用服务器作为AF向3GPP网络NEF请求调用时，查询UE对该调用的许可或者授权；Step 1001: When the edge computing application server as an AF requests a call to the 3GPP network NEF, query the UE's permission or authorization for the call;

步骤1002、在确定UE对该调用进行了许可或者授权时，向3GPP网络NEF请求调用。Step 1002, when it is determined that the UE has granted or authorized the call, request the call to the 3GPP network NEF.

则所述方法还可以进一步包括：Then the method may further include:

图11为NEF侧的请求调用的处理方法实施流程示意图，如图所示，可以包括：Figure 11 is a schematic diagram of the implementation process of the processing method for request invocation on the NEF side. As shown in the figure, it can include:

步骤1101、接收边缘计算应用服务器作为AF向3GPP网络NEF请求的调用，或，接收边缘计算应用服务器向3GPP网络NEF请求的携带用户许可信息的调用，或，接收边缘计算应用服务器向3GPP网络NEF请求的携带用户许可信息以及验证码的调用，其中，所述验证码是在UDM和应用层的用户信息服务器共享UE对调用的许可或者授权信息时，使用UDM和应用层的用户信息服务器共享的安全密钥计算得出的验证码；Step 1101: Receive the call requested by the edge computing application server from the 3GPP network NEF as the AF, or receive the call carrying user license information requested by the edge computing application server from the 3GPP network NEF, or receive the request from the edge computing application server to the 3GPP network NEF Carrying user permission information and verification code calls, where the verification code is the security shared by the UDM and the user information server of the application layer when the UDM and the user information server of the application layer share the UE’s permission or authorization information for the call The verification code calculated by the key;

步骤1102、NEF查询UE对该调用的许可或者授权； Step 1102, NEF queries the UE's permission or authorization for the call;

步骤1103、NEF在确定UE对该调用进行了许可或者授权时，允许边缘计算应用服务器的调用。Step 1103: When the NEF determines that the UE has approved or authorized the call, it allows the edge computing application server to call.

图12为UDM侧的查询调用的方法实施流程示意图，如图所示，可以包括：Figure 12 is a schematic diagram of the implementation process of the query invocation method on the UDM side. As shown in the figure, it can include:

步骤1201、UDM或UDR接收NEF对调用的查询，所述查询是查询该调用是否是UE许可或者授权的调用；Step 1201: The UDM or UDR receives the NEF query on the call, where the query is to query whether the call is a UE permitted or authorized call;

步骤1202、UDM或UDR根据用户授权配置确定该调用是否是UE许可或者授权的调用，并将确定结果反馈NEF。 Step 1202, the UDM or UDR determines whether the call is a call permitted or authorized by the UE according to the user authorization configuration, and feeds the determination result back to the NEF.

具体的，在验证边缘计算应用调用网络能力的授权过程中，当边缘计算应用服务器(使能服务器，此时使能服务器为边缘应用服务器的代理)作为AF(应用功能，Application Function)向3GPP网络NEF(网络开放功能，Network Exposure Function)请求调用时，需要查询UE对该调用的许可或者授权。Specifically, in the process of verifying the authorization of the edge computing application to call the network capability, when the edge computing application server (enable server, at this time, the enable server is the proxy of the edge application server) as an AF (Application Function) to the 3GPP network When NEF (Network Exposure Function) requests a call, it needs to query the UE's permission or authorization for the call.

AF发起请求时需要携带边缘计算服务类型，或者网络通过IP地址识别该AF是边缘计算的应用实例。When an AF initiates a request, it needs to carry the edge computing service type, or the network recognizes that the AF is an application instance of edge computing through an IP address.

当NEF收到该类型的请求时，需要向用户配置信息查询确认UE是否允许调用或者授权该调用。When NEF receives this type of request, it needs to query the user configuration information to confirm whether the UE allows the call or authorizes the call.

用户配置信息可以是3GPP网络实体UDM或者UDR，或者是应用层独立的用户配置信息服务器。The user configuration information can be a 3GPP network entity UDM or UDR, or an independent user configuration information server at the application layer.

实施例三Example three

图13为实施例三中调用处理实施流程示意图，如图所示，可以包括：Figure 13 is a schematic diagram of the implementation flow of the call processing in the third embodiment. As shown in the figure, it may include:

步骤1301、调用能力请求，携带有UE的标识、边缘计算服务类型。Step 1301: Invoke the capability request, which carries the identifier of the UE and the edge computing service type.

边缘计算应用服务器向NEF请求验证UE该UE是否允许该APP对网络能力的调用。The edge computing application server requests the NEF to verify whether the UE allows the APP to call network capabilities.

步骤1302、调用能力验证请求。Step 1302: Invoke the capability verification request.

NEF向UDM/UDR发起请求查询UR是否允许调用该APP或者该APP的event ID。NEF initiates a request to UDM/UDR to query whether UR is allowed to call the APP or the event ID of the APP.

步骤1303、通过UE标识，调用ID、APP标识以及UE的隐私许可标识确认是否允许调用该服务。Step 1303: Confirm whether the service is allowed to be invoked through the UE identification, the calling ID, the APP identification, and the privacy permission identification of the UE.

UDM或者UDR查询验证。UDM or UDR query verification.

步骤1304、若允许则返回相关调用信息。Step 1304: If allowed, return related call information.

UDM/UDR返回NEF对应的用户授权标识信息。若调用允许，则UDM/UDR返回许可标识为1。否则UDM/UDR返回许可标识为0。UDM/UDR returns the user authorization identification information corresponding to NEF. If the call is allowed, the UDM/UDR returns the license identifier as 1. Otherwise, the UDM/UDR returns the license ID as 0.

步骤1305、返回调用信息给APP。Step 1305: Return the calling information to the APP.

NEF根据查询的许可结果若为1则返回相应的事件信息。否则返回事件信息为空。NEF returns the corresponding event information if the permission result of the query is 1. Otherwise, the return event information is empty.

实施例四Example four

本例中，若用户信息查询位于应用层，则NEF通过使能服务器调用用户许可信息。In this example, if the user information query is at the application layer, NEF calls the user license information through the enabling server.

图14为实施例四中调用处理实施流程示意图，如图所示，可以包括：Figure 14 is a schematic diagram of the implementation flow of the call processing in the fourth embodiment. As shown in the figure, it may include:

步骤1401、调用许可请求，携带有UE的标识、边缘计算服务类型。Step 1401: Invoke the permission request, which carries the identifier of the UE and the edge computing service type.

边缘计算应用服务器(使能服务器)向应用层的用户配置信息服务器查询用户对网络能力调用的授权信息。The edge computing application server (enable server) queries the user configuration information server of the application layer for the user's authorization information for invoking network capabilities.

步骤1402、通过UE/用户标识，调用ID、APP标识以及UE的隐私许可标识确认是否允许调用。Step 1402, through the UE/user identification, the calling ID, the APP identification, and the privacy permission identification of the UE to confirm whether the calling is allowed.

应用层用户信息配置服务器基于用户标识，事件ID，APP标识查询用户对该微服务的授权。The application layer user information configuration server queries the user's authorization for the microservice based on the user ID, event ID, and APP ID.

步骤1403、若允许则返回相关调用信息，携带许可信息标识。Step 1403: If allowed, return the related call information, carrying the permission information identifier.

应用层用户信息配置服务器返回配置信息给应用服务器。许可标识为1。否则返回许可标识为0。The application layer user information configuration server returns the configuration information to the application server. The license ID is 1. Otherwise, the return permission ID is 0.

步骤1404、调用能力请求，携带有许可信息标识。Step 1404: Invoke the capability request, which carries the permission information identifier.

边缘计算应用服务器在向NEF请求服务调用时携带用户许可信息。The edge computing application server carries user permission information when requesting a service call from the NEF.

步骤1405、调用能力请求，携带有许可信息标识。Step 1405: Invoke the capability request, which carries the license information identifier.

NEF转发给UDM。NEF forwards to UDM.

步骤1406、许可信息标识验证。Step 1406: Verification of the license information identification.

UDM验证许可标识是否与本地保存的一致。UDM verifies whether the license identifier is consistent with the locally stored one.

步骤1407、返回调用信息给APP。Step 1407: Return the calling information to the APP.

若一致说明用户许可调用，UDM将结果返回给NEF。If they agree that the user is allowed to call, UDM returns the result to NEF.

步骤1408、返回调用信息给APP。Step 1408: Return the calling information to the APP.

NEF向APP返回需要调用的用户信息事件信息。否则返回事件信息为空。NEF returns the user information event information that needs to be called to the APP. Otherwise, the return event information is empty.

实施例五Example five

本例中，应用层用户信息数据库和NEF中都保存了用户对于该服务调用的许可，并通过MAC(消息认证码，Message Authentication Code)保护。MAC是通过在UDM和应用层的用户信息服务器共享的安全密钥计算得出的验证码，以保证授权信息不会被篡改。In this example, both the application layer user information database and NEF save the user's permission to call the service, and are protected by MAC (Message Authentication Code). MAC is a verification code calculated by the security key shared by the UDM and the user information server at the application layer to ensure that the authorization information will not be tampered with.

图15为实施例五中调用处理实施流程示意图，如图所示，可以包括：Figure 15 is a schematic diagram of the implementation flow of the call processing in the fifth embodiment. As shown in the figure, it may include:

步骤1501、应用调用能力查询，携带有UE或用户的标识、边缘计算服务类型。Step 1501: Query the application invocation capability, which carries the identifier of the UE or the user, and the edge computing service type.

当APP服务器请求3GPP网络服务调用时，先向用户信息服务器发起查询请求。When the APP server requests a 3GPP network service call, it first initiates a query request to the user information server.

步骤1502、通过UE或用户标识，调用ID、APP标识以及UE的隐私许可标识确认是否允许调用。Step 1502, using the UE or user identification, the calling ID, the APP identification, and the privacy permission identification of the UE to confirm whether the calling is allowed.

应用层用户配置信息服务器查询用户对该微服务的授权。The application layer user configuration information server queries the user's authorization for the microservice.

步骤1503、若允许则返回相关调用信息，携带有许可信息标识以及MAC。Step 1503: If allowed, return the related call information, which carries the permission information identifier and the MAC.

边缘计算应用层配置服务器返回配置信息给应用服务器。The edge computing application layer configuration server returns configuration information to the application server.

步骤1504、调用能力请求，携带有许可信息标识以及MAC。Step 1504: Invoke the capability request, which carries the permission information identifier and MAC.

边缘计算应用服务器(使能服务器)在向NEF请求服务调用时携带用户许可信息以及MAC。The edge computing application server (enable server) carries user permission information and MAC when requesting service invocation from NEF.

步骤1505、许可信息标识验证。Step 1505: Verification of the license information identification.

NEF验证MAC值是否与本地的MAC一致，若一致说明用户许可调用，将结果返回给NEF。NEF verifies whether the MAC value is consistent with the local MAC. If they are consistent, the user permits the call and returns the result to NEF.

步骤1506、返回调用信息给APP。Step 1506: Return the calling information to the APP.

NEF向APP返回需要调用用户的信息。若不一致则返回空信息，禁止该APP的微服务调用。NEF returns to the APP the information that needs to call the user. If they are inconsistent, an empty message is returned, and the microservice call of the APP is prohibited.

实施例六Example Six

本例中，应用层用户信息数据库和UDM中都保存了用户对于该服务调用的许可，并通过MAC保护。In this example, both the application layer user information database and UDM store the user's permission to call the service and are protected by MAC.

图16为实施例六中调用处理实施流程示意图，如图所示，可以包括：Figure 16 is a schematic diagram of the implementation flow of the call processing in the sixth embodiment. As shown in the figure, it may include:

步骤1601、应用调用能力查询，携带有UE或用户的标识、边缘计算服务类型)。Step 1601: Query the application invocation capability, which carries the identifier of the UE or the user, and the edge computing service type).

当APP服务器(使能服务器)请求3GPP网络服务调用时，先向用户信息服务器发起查询请求。When the APP server (enable server) requests a 3GPP network service call, it first initiates a query request to the user information server.

步骤1602、通过UE或用户标识，调用ID、APP标识以及UE的隐私许可标识确认是否允许调用。Step 1602, using the UE or user identification, the calling ID, the APP identification, and the privacy permission identification of the UE to confirm whether the calling is allowed.

应用层用户配置信息服务器查询用户对该微服务的许可。The application layer user configuration information server queries the user's permission for the microservice.

步骤1603、若允许则返回相关调用信息，携带有许可信息标识以及MAC。Step 1603: If allowed, return the related call information, which carries the permission information identifier and the MAC.

步骤1604、调用能力请求，携带有许可信息标识以及MAC。Step 1604: Invoke the capability request, which carries the permission information identifier and MAC.

边缘计算应用服务器在向NEF请求服务调用时携带用户许可信息以及MAC。The edge computing application server carries user permission information and MAC when requesting service invocation from NEF.

步骤1605、调用能力请求，携带有许可信息标识以及MAC。Step 1605: Invoke the capability request, which carries the permission information identifier and MAC.

NEF转发给UDM。NEF forwards to UDM.

步骤1606、MAC验证。Step 1606: MAC verification.

UDM验证MAC值是否与本地的MAC一致。UDM verifies whether the MAC value is consistent with the local MAC.

步骤1607、用户许可调用。Step 1607: The user permits the call.

步骤1608、返回调用信息给APP。Step 1608: Return the calling information to the APP.

NEF向APP返回需要调用用户的信息。NEF returns to the APP the information that needs to call the user.

基于同一发明构思，本公开实施例中还提供了一种基站侧设备、用户设备、及***，由于这些设备解决问题的原理与方法相似，因此这些设备的实施可以参见方法的实施，重复之处不再赘述。Based on the same inventive concept, the embodiments of the present disclosure also provide a base station-side device, user equipment, and system. Since these devices have similar principles and methods for solving problems, the implementation of these devices can refer to the implementation of the method. For repetitions No longer.

在实施本公开实施例提供的技术方案时，可以按如下方式实施。When implementing the technical solutions provided by the embodiments of the present disclosure, they can be implemented as follows.

图17为边缘计算应用服务器结构1示意图，如图所示，服务器中包括：Figure 17 is a schematic diagram of edge computing application server structure 1. As shown in the figure, the server includes:

处理器1700，用于读取存储器1720中的程序，执行下列过程：The processor 1700 is configured to read a program in the memory 1720 and execute the following process:

收发机1710，用于在处理器1700的控制下接收和发送数据。The transceiver 1710 is used to receive and send data under the control of the processor 1700.

处理器1700进一步用于：The processor 1700 is further used to:

其中，在图17中，总线架构可以包括任意数量的互联的总线和桥，具体由处理器1700代表的一个或多个处理器和存储器1720代表的存储器的各种电路链接在一起。总线架构还可以将诸如***设备、稳压器和功率管理电路等之类的各种其他电路链接在一起，这些都是本领域所公知的，因此，本文不再对其进行进一步描述。总线接口提供接口。收发机1710可以是多个元件，即包括发送机和接收机，提供用于在传输介质上与各种其他装置通信的单元。处理器1700负责管理总线架构和通常的处理，存储器1720可以存储处理器1700在执行操作时所使用的数据。Wherein, in FIG. 17, the bus architecture may include any number of interconnected buses and bridges. Specifically, one or more processors represented by the processor 1700 and various circuits of the memory represented by the memory 1720 are linked together. The bus architecture can also link various other circuits such as peripherals, voltage regulators, power management circuits, etc., which are all known in the art, and therefore, will not be further described herein. The bus interface provides the interface. The transceiver 1710 may be a plurality of elements, including a transmitter and a receiver, and provide a unit for communicating with various other devices on the transmission medium. The processor 1700 is responsible for managing the bus architecture and general processing, and the memory 1720 can store data used by the processor 1700 when performing operations.

为了描述的方便，以上所述装置的各部分以功能分为各种模块或单元分别描述。当然，在实施本公开时可以把各模块或单元的功能在同一个或多个软件或硬件中实现。For the convenience of description, each part of the above-mentioned device is divided into various modules or units by function and described separately. Of course, when implementing the present disclosure, the functions of each module or unit can be implemented in the same one or more software or hardware.

具体实施可以参见前述边缘计算应用服务器侧的请求调用的处理方法的实施。For specific implementation, please refer to the implementation of the processing method of request invocation on the side of the aforementioned edge computing application server.

图18为NEF结构示意图，如图所示，NEF中包括：Figure 18 is a schematic diagram of NEF structure, as shown in the figure, NEF includes:

处理器1800，用于读取存储器1820中的程序，执行下列过程：The processor 1800 is configured to read a program in the memory 1820 and execute the following process:

收发机1810，用于在处理器1800的控制下接收和发送数据。The transceiver 1810 is used to receive and send data under the control of the processor 1800.

其中，在图18中，总线架构可以包括任意数量的互联的总线和桥，具体由处理器1800代表的一个或多个处理器和存储器1820代表的存储器的各种电路链接在一起。总线架构还可以将诸如***设备、稳压器和功率管理电路等之类的各种其他电路链接在一起，这些都是本领域所公知的，因此，本文不再对其进行进一步描述。总线接口提供接口。收发机1810可以是多个元件，即包括发送机和接收机，提供用于在传输介质上与各种其他装置通信的单元。处理器1800负责管理总线架构和通常的处理，存储器1820可以存储处理器1800在执行操作时所使用的数据。Wherein, in FIG. 18, the bus architecture may include any number of interconnected buses and bridges. Specifically, one or more processors represented by the processor 1800 and various circuits of the memory represented by the memory 1820 are linked together. The bus architecture can also link various other circuits such as peripherals, voltage regulators, power management circuits, etc., which are all known in the art, and therefore, will not be further described herein. The bus interface provides the interface. The transceiver 1810 may be a plurality of elements, including a transmitter and a receiver, and provide a unit for communicating with various other devices on the transmission medium. The processor 1800 is responsible for managing the bus architecture and general processing, and the memory 1820 can store data used by the processor 1800 when performing operations.

具体可以参见前述NEF侧的请求调用的处理方法的实施。For details, please refer to the implementation of the processing method for request invocation on the NEF side.

图19为通信设备结构1示意图，位于UDM或UDR，如图所示，设备中包括：Figure 19 is a schematic diagram of communication equipment structure 1, located in UDM or UDR. As shown in the figure, the equipment includes:

处理器1900，用于读取存储器1920中的程序，执行下列过程：The processor 1900 is configured to read the program in the memory 1920 and execute the following process:

收发机1910，用于在处理器1900的控制下接收和发送数据。The transceiver 1910 is used to receive and send data under the control of the processor 1900.

其中，在图19中，总线架构可以包括任意数量的互联的总线和桥，具体由处理器1900代表的一个或多个处理器和存储器1920代表的存储器的各种电路链接在一起。总线架构还可以将诸如***设备、稳压器和功率管理电路等之类的各种其他电路链接在一起，这些都是本领域所公知的，因此，本文不再对其进行进一步描述。总线接口提供接口。收发机1910可以是多个元件，即包括发送机和接收机，提供用于在传输介质上与各种其他装置通信的单元。处理器1900负责管理总线架构和通常的处理，存储器1920可以存储处理器 1900在执行操作时所使用的数据。Wherein, in FIG. 19, the bus architecture may include any number of interconnected buses and bridges. Specifically, one or more processors represented by the processor 1900 and various circuits of the memory represented by the memory 1920 are linked together. The bus architecture can also link various other circuits such as peripherals, voltage regulators, power management circuits, etc., which are all known in the art, and therefore, will not be further described herein. The bus interface provides the interface. The transceiver 1910 may be a plurality of elements, including a transmitter and a receiver, and provide a unit for communicating with various other devices on the transmission medium. The processor 1900 is responsible for managing the bus architecture and general processing, and the memory 1920 can store data used by the processor 1900 when performing operations.

具体可以参见前述在通信设备侧上的调用查询方法的实施。For details, please refer to the implementation of invoking the query method on the side of the communication device described above.

图20为UE结构示意图，如图所示，用户设备包括：Figure 20 is a schematic diagram of the UE structure. As shown in the figure, the user equipment includes:

处理器2000，用于读取存储器2020中的程序，执行下列过程：The processor 2000 is configured to read the program in the memory 2020 and execute the following process:

收发机2010，用于在处理器2000的控制下接收和发送数据。The transceiver 2010 is used to receive and send data under the control of the processor 2000.

在一些可选的实施例中，处理器2000进一步用于：In some optional embodiments, the processor 2000 is further configured to:

其中，在图20中，总线架构可以包括任意数量的互联的总线和桥，具体由处理器2000代表的一个或多个处理器和存储器2020代表的存储器的各种电路链接在一起。总线架构还可以将诸如***设备、稳压器和功率管理电路等之类的各种其他电路链接在一起，这些都是本领域所公知的，因此，本文不再对其进行进一步描述。总线接口提供接口。收发机2010可以是多个元件，即包括发送机和接收机，提供用于在传输介质上与各种其他装置通信的单元。针对不同的用户设备，用户接口2030还可以是能够外接内接需要设备的接口，连接的设备包括但不限于小键盘、显示器、扬声器、麦克风、操纵杆等。Wherein, in FIG. 20, the bus architecture may include any number of interconnected buses and bridges. Specifically, one or more processors represented by the processor 2000 and various circuits of the memory represented by the memory 2020 are linked together. The bus architecture can also link various other circuits such as peripheral devices, voltage regulators, power management circuits, etc., which are well known in the art, and therefore, will not be further described herein. The bus interface provides the interface. The transceiver 2010 may be a plurality of elements, including a transmitter and a receiver, and provide a unit for communicating with various other devices on the transmission medium. For different user equipment, the user interface 2030 may also be an interface capable of connecting externally and internally with required equipment, and the connected equipment includes but not limited to a keypad, a display, a speaker, a microphone, a joystick, and the like.

处理器2000负责管理总线架构和通常的处理，存储器2020可以存储处理器2000在执行操作时所使用的数据。The processor 2000 is responsible for managing the bus architecture and general processing, and the memory 2020 can store data used by the processor 2000 when performing operations.

具体实施中可以参见前述用户终端侧的调用授权方法的实施。For specific implementation, refer to the implementation of invoking the authorization method on the user terminal side.

图21为边缘计算使能服务器结构2示意图，如图所示，服务器中包括：Figure 21 is a schematic diagram of edge computing enabled server structure 2. As shown in the figure, the server includes:

处理器2100，用于读取存储器2120中的程序，执行下列过程：The processor 2100 is configured to read a program in the memory 2120, and execute the following process:

收发机2110，用于在处理器2100的控制下接收和发送数据。The transceiver 2110 is used to receive and send data under the control of the processor 2100.

在一些可选的实施例中，处理器2100进一步用于：In some optional embodiments, the processor 2100 is further configured to:

其中，在图21中，总线架构可以包括任意数量的互联的总线和桥，具体由处理器2100代表的一个或多个处理器和存储器2120代表的存储器的各种电路链接在一起。总线架构还可以将诸如***设备、稳压器和功率管理电路等之类的各种其他电路链接在一起，这些都是本领域所公知的，因此，本文不再对其进行进一步描述。总线接口提供接口。收发机2110可以是多个元件，即包括发送机和接收机，提供用于在传输介质上与各种其他装置通信的单元。处理器2100负责管理总线架构和通常的处理，存储器2120可以存储处理器2100在执行操作时所使用的数据。Wherein, in FIG. 21, the bus architecture may include any number of interconnected buses and bridges. Specifically, one or more processors represented by the processor 2100 and various circuits of the memory represented by the memory 2120 are linked together. The bus architecture can also link various other circuits such as peripherals, voltage regulators, power management circuits, etc., which are all known in the art, and therefore, will not be further described herein. The bus interface provides the interface. The transceiver 2110 may be a plurality of elements, that is, including a transmitter and a receiver, and provide a unit for communicating with various other devices on a transmission medium. The processor 2100 is responsible for managing the bus architecture and general processing, and the memory 2120 can store data used by the processor 2100 when performing operations.

具体实施中可以参见前述边缘计算使能服务器侧的调用授权的处理方法的实施。For specific implementation, refer to the implementation of the processing method of invoking authorization on the side of the edge computing enabling server.

图22为通信设备结构2示意图，位于以下设备UDM、UDR、应用层的用户信息服务器或NEF，如图所示，设备中包括：Figure 22 is a schematic diagram of the structure 2 of the communication device. The user information server or NEF located in the following devices UDM, UDR, and application layer, as shown in the figure, includes:

处理器2200，用于读取存储器2220中的程序，执行下列过程：The processor 2200 is configured to read a program in the memory 2220 and execute the following process:

收发机2210，用于在处理器2200的控制下接收和发送数据。The transceiver 2210 is configured to receive and send data under the control of the processor 2200.

其中，在图22中，总线架构可以包括任意数量的互联的总线和桥，具体由处理器2200代表的一个或多个处理器和存储器2220代表的存储器的各种电路链接在一起。总线架构还可以将诸如***设备、稳压器和功率管理电路等之类的各种其他电路链接在一起，这些都是本领域所公知的，因此，本文不再对其进行进一步描述。总线接口提供接口。收发机2210可以是多个元件，即包括发送机和接收机，提供用于在传输介质上与各种其他装置通信的单元。处理器2200负责管理总线架构和通常的处理，存储器2220可以存储处理器2200在执行操作时所使用的数据。Wherein, in FIG. 22, the bus architecture may include any number of interconnected buses and bridges. Specifically, one or more processors represented by the processor 2200 and various circuits of the memory represented by the memory 2220 are linked together. The bus architecture can also link various other circuits such as peripherals, voltage regulators, power management circuits, etc., which are all known in the art, and therefore, will not be further described herein. The bus interface provides the interface. The transceiver 2210 may be a plurality of elements, including a transmitter and a receiver, and provide a unit for communicating with various other devices on the transmission medium. The processor 2200 is responsible for managing the bus architecture and general processing, and the memory 2220 can store data used by the processor 2200 when performing operations.

具体实施中可以参见前述通信设备侧的调用授权的处理方法的实施。For specific implementation, please refer to the implementation of the processing method of invoking authorization on the communication device side.

本公开实施例中提供了一种计算机可读存储介质，其中，所述计算机可读存储介质存储有执行上述以下方法之一或者其组合的程序：An embodiment of the present disclosure provides a computer-readable storage medium, wherein the computer-readable storage medium stores a program that executes one or a combination of the following methods:

请求调用的处理方法、查询调用的方法、调用授权方法、调用授权的处理方法。The processing method of request calling, the method of query calling, the method of calling authorization, the processing method of calling authorization.

综上所述，在本公开实施例提供的技术方案中，用户通过边缘计算使能服务器更新或配置某个边缘计算应用对网络能力的调用授权；边缘计算应用调用网络能力时，需要先查询用户对该应用调用网络能力的许可。To sum up, in the technical solution provided by the embodiments of the present disclosure, the user updates or configures the authorization of a certain edge computing application for invoking network capabilities through the edge computing enabling server; when the edge computing application invokes the network capabilities, the user needs to query the user first. Permission to call network capabilities for this application.

从而可以通过验证用户对边缘计算应用调用网络能力的授权或许可查询，避免在边缘计算应用调用网络能力时对用户信息的泄漏。Therefore, by verifying the user's authorization or permission query for the edge computing application to invoke the network capability, the leakage of user information when the edge computing application invokes the network capability can be avoided.

本领域内的技术人员应明白，本公开的实施例可提供为方法、***、或程序产品。因此，本公开可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且，本公开可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器和光学存储器等)上实施的计算机程序产品的形式。Those skilled in the art should understand that the embodiments of the present disclosure can be provided as methods, systems, or program products. Therefore, the present disclosure may adopt the form of a complete hardware embodiment, a complete software embodiment, or an embodiment combining software and hardware. Moreover, the present disclosure may take the form of a computer program product implemented on one or more computer-usable storage media (including but not limited to disk storage, optical storage, etc.) containing computer-usable program codes.

本公开是参照根据本公开实施例的方法、设备(***)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器，使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present disclosure is described with reference to flowcharts and/or block diagrams of methods, devices (systems), and computer program products according to embodiments of the present disclosure. It should be understood that each process and/or block in the flowchart and/or block diagram, and the combination of processes and/or blocks in the flowchart and/or block diagram can be realized by computer program instructions. These computer program instructions can be provided to the processor of a general-purpose computer, a special-purpose computer, an embedded processor, or other programmable data processing equipment to generate a machine, so that the instructions executed by the processor of the computer or other programmable data processing equipment are used to generate It is a device that realizes the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.

这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中，使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品，该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions can also be stored in a computer-readable memory that can guide a computer or other programmable data processing equipment to work in a specific manner, so that the instructions stored in the computer-readable memory produce an article of manufacture including the instruction device. The device implements the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.

这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上，使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理，从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。可以理解的是，本公开实施例描述的这些实施例可以用硬件、软件、固件、中间件、微码或其组合来实现。对于硬件实现，各个模块、单元、子单元或子模块等可以实现在一个或多个专用集成电路(Application Specific Integrated Circuit，ASIC)、数字信号处理器(Digital Signal Processing，DSP)、数字信号处理设备(DSP Device，DSPD)、可编程逻辑设备(Programmable Logic Device，PLD)、现场可编程门阵列(Field-Programmable Gate Array，FPGA)、通用处理器、控制器、微控制器、微处理器、用于执行本公开所述功能的其它电子单元或其组合中。These computer program instructions can also be loaded on a computer or other programmable data processing equipment, so that a series of operation steps are executed on the computer or other programmable equipment to produce computer-implemented processing, so as to execute on the computer or other programmable equipment. The instructions provide steps for implementing the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram. It can be understood that the embodiments described in the embodiments of the present disclosure may be implemented by hardware, software, firmware, middleware, microcode, or a combination thereof. For hardware implementation, each module, unit, sub-unit or sub-module, etc. can be implemented in one or more application specific integrated circuits (ASIC), digital signal processors (Digital Signal Processing, DSP), digital signal processing equipment (DSP Device, DSPD), Programmable Logic Device (Programmable Logic Device, PLD), Field-Programmable Gate Array (Field-Programmable Gate Array, FPGA), general-purpose processors, controllers, microcontrollers, microprocessors, In other electronic units or combinations thereof that perform the functions described in the present disclosure.

对于软件实现，可通过执行本公开实施例所述功能的模块(例如过程、函数等)来实现本公开实施例所述的技术。软件代码可存储在存储器中并通过处理器执行。存储器可以在处理器中或在处理器外部实现。For software implementation, the technology described in the embodiments of the present disclosure can be implemented by modules (for example, procedures, functions, etc.) that perform the functions described in the embodiments of the present disclosure. The software codes can be stored in the memory and executed by the processor. The memory can be implemented in the processor or external to the processor.

显然，本领域的技术人员可以对本公开进行各种改动和变型而不脱离本公开的精神和范围。这样，倘若本公开的这些修改和变型属于本公开权利要求及其等同技术的范围之内，则本公开也意图包含这些改动和变型在内。Obviously, those skilled in the art can make various changes and modifications to the present disclosure without departing from the spirit and scope of the present disclosure. In this way, if these modifications and variations of the present disclosure fall within the scope of the claims of the present disclosure and equivalent technologies, the present disclosure is also intended to include these modifications and variations.

Claims

一种请求调用的处理方法，包括：A processing method for request invocation, including:

当边缘计算应用服务器作为应用功能AF向3GPP网络的网络开放功能NEF请求调用时，查询用户设备UE对该调用的许可或者授权；When the edge computing application server as the application function AF requests a call to the network open function NEF of the 3GPP network, it queries the user equipment UE for the permission or authorization of the call;

在确定UE对该调用进行了许可或者授权时，向3GPP网络NEF请求调用。When it is determined that the UE has permitted or authorized the call, it requests the call to the 3GPP network NEF.
如权利要求1所述的方法，其中，当边缘计算应用服务器查询UE对该调用的许可或者授权时，是向应用层的用户配置信息服务器查询的；The method according to claim 1, wherein when the edge computing application server queries the UE's permission or authorization for the call, it queries the user configuration information server of the application layer;

所述方法进一步包括：The method further includes:

在确定UE对该调用进行了许可或者授权向3GPP网络NEF请求调用时携带用户许可信息；或，Carry user permission information when determining that the UE is authorized for the call or authorized to request the call from the 3GPP network NEF; or,

在统一数据管理实体UDM和应用层的用户信息服务器共享UE对调用的许可或者授权信息时，在确定UE对该调用进行了许可或者授权向3GPP网络NEF请求调用时携带用户许可信息以及使用UDM和应用层的用户信息服务器共享的安全密钥计算得出的验证码。When the unified data management entity UDM and the user information server of the application layer share the UE's permission or authorization information for the call, when it is determined that the UE is authorized for the call or authorized to request the call from the 3GPP network NEF, the user permission information is carried and the UDM and authorization information are used. The verification code calculated by the security key shared by the user information server at the application layer.
一种请求调用的处理方法，包括：A processing method for request invocation, including:

接收边缘计算应用服务器作为AF向3GPP网络NEF请求的调用，或，接收边缘计算应用服务器向3GPP网络NEF请求的携带用户许可信息的调用，或，接收边缘计算应用服务器向3GPP网络NEF请求的携带用户许可信息以及验证码的调用，其中，所述验证码是在UDM和应用层的用户信息服务器共享UE对调用的许可或者授权信息时，使用UDM和应用层的用户信息服务器共享的安全密钥计算得出的验证码；Receive the call requested by the edge computing application server from the 3GPP network NEF as the AF, or receive the call carrying user license information requested by the edge computing application server from the 3GPP network NEF, or receive the user carrying user requested by the edge computing application server from the 3GPP network NEF The call of permission information and verification code, where the verification code is calculated using the security key shared by the UDM and the user information server of the application layer when the UDM and the user information server of the application layer share the permission or authorization information of the UE for the call The obtained verification code;

NEF查询UE对该调用的许可或者授权；NEF queries the UE's permission or authorization for the call;

NEF在确定UE对该调用进行了许可或者授权时，允许边缘计算应用服务器的调用。NEF allows the edge computing application server to be called when it determines that the UE has approved or authorized the call.
如权利要求3所述的方法，其中，当接收边缘计算应用服务器作为AF向3GPP网络NEF请求的调用时，NEF向UDM或统一数据存储库UDR查询UE对该调用的许可或者授权；或，The method according to claim 3, wherein, when receiving the call requested by the edge computing application server from the 3GPP network NEF as the AF, the NEF queries the UDM or the unified data repository UDR for the UE's permission or authorization for the call; or,

当接收边缘计算应用服务器向3GPP网络NEF请求的携带用户许可信息的调用时，NEF向UDM查询UE对该调用的许可或者授权；或，When receiving a call with user permission information requested by the edge computing application server from the 3GPP network NEF, NEF queries UDM for the UE's permission or authorization for the call; or,

接收边缘计算应用服务器向3GPP网络NEF请求的携带用户许可信息以及验证码的调用，NEF在本地数据库根据用户授权配置查询UE对该调用的许可或者授权，或向UDM查询UE对该调用的许可或者授权。Receiving the call with user permission information and verification code requested by the edge computing application server from the 3GPP network NEF, NEF queries the local database for the UE’s permission or authorization for the call according to the user’s authorization configuration, or queries the UDM for the UE’s permission for the call or Authorization.
一种查询调用的方法，包括：A method of query invocation, including:

UDM或UDR接收NEF对调用的查询，所述查询是查询该调用是否是UE许可或者授权的调用；The UDM or UDR receives NEF's query on the call, and the query is to query whether the call is a call permitted or authorized by the UE;

UDM或UDR根据用户授权配置确定该调用是否是UE许可或者授权的调用，并将确定结果反馈NEF。The UDM or UDR determines whether the call is a call authorized or authorized by the UE according to the user authorization configuration, and feeds the determination result back to the NEF.
如权利要求5所述的方法，其中，所述用户授权配置是预配置的或者是根据边缘计算使能服务器发送的用户授权配置信息配置的。The method according to claim 5, wherein the user authorization configuration is pre-configured or configured according to user authorization configuration information sent by the edge computing enabling server.
一种调用授权方法，包括：A method of invoking authorization, including:

UE确定用户许可或者授权的应用APP调用；The UE determines that the user approves or authorizes the application APP call;

UE根据用户许可或者授权的APP调用信息确定用户授权配置信息；The UE determines the user authorization configuration information according to the APP call information permitted or authorized by the user;

UE将所述用户授权配置信息发送至边缘计算使能服务器。The UE sends the user authorization configuration information to the edge computing enabling server.
如权利要求7所述的方法，进一步包括：The method of claim 7, further comprising:

UE保存所述用户授权配置信息。The UE saves the user authorization configuration information.
如权利要求7所述的方法，进一步包括：The method of claim 7, further comprising:

根据边缘计算使能服务器指示更新所述用户授权配置信息。The user authorization configuration information is updated according to the instruction of the edge computing enabling server.
如权利要求7至9任一所述的方法，其中，用户许可或者授权APP调用是基于应用为粒度或者基于调用事件为粒度进行许可或者授权的。The method according to any one of claims 7 to 9, wherein the user permits or authorizes APP invocation based on the granularity of the application or the granularity of the invocation event.
一种调用授权的处理方法，包括：A processing method for invoking authorization, including:

边缘计算使能服务器接收UE发送的用户授权配置信息，所述用户授权配置信息中包含了用户许可或者授权的APP调用信息；The edge computing enabling server receives the user authorization configuration information sent by the UE, where the user authorization configuration information contains APP invocation information permitted or authorized by the user;

边缘计算使能服务器将所述用户授权配置信息发送至网络侧设备，用以供NEF查询调用的许可或者授权。The edge computing enabling server sends the user authorization configuration information to the network side device for the NEF to query and call the license or authorization.
如权利要求11所述的方法，其中，网络侧设备是以下设备之一或者其组合：UDM、UDR、应用层的用户信息服务器、NEF。The method according to claim 11, wherein the network side device is one or a combination of the following devices: UDM, UDR, user information server at the application layer, NEF.
如权利要求11所述的方法，进一步包括：The method of claim 11, further comprising:

根据用户在请求边缘计算应用过程中的指示，边缘计算使能服务器指示UE更新UE上的所述用户授权配置信息。According to the user's instruction in the process of requesting the edge computing application, the edge computing enabling server instructs the UE to update the user authorization configuration information on the UE.
如权利要求11至13任一所述的方法，其中，用户许可或者授权APP调用是基于应用为粒度或者基于调用事件为粒度进行许可或者授权的。The method according to any one of claims 11 to 13, wherein the user permits or authorizes APP calls to be permitted or authorized based on the granularity of the application or the granularity of the call event.
一种调用授权的处理方法，包括：A processing method for invoking authorization, including:

网络侧设备接收边缘计算使能服务器发送的用户授权配置信息，所述用户授权配置信息中包含了用户许可或者授权的APP调用信息；The network-side device receives the user authorization configuration information sent by the edge computing enabling server, where the user authorization configuration information includes the APP invocation information permitted or authorized by the user;

网络侧设备接收NEF发送的对调用的查询，所述查询是查询该调用是否是UE许可或者授权的调用；The network side device receives the query for the call sent by the NEF, where the query is to query whether the call is a call permitted or authorized by the UE;

网络侧设备根据所述用户授权配置确定该调用是否是UE许可或者授权的调用。The network side device determines whether the call is a call approved or authorized by the UE according to the user authorization configuration.
如权利要求15所述的方法，其中，网络侧设备是以下设备之一或者其组合：UDM、UDR、应用层的用户信息服务器、NEF。The method according to claim 15, wherein the network-side device is one or a combination of the following devices: UDM, UDR, user information server at the application layer, NEF.
如权利要求15或16所述的方法，其中，用户许可或者授权APP调用是基于应用为粒度或者基于调用事件为粒度进行许可或者授权的。The method according to claim 15 or 16, wherein the user permits or authorizes APP invocation based on the granularity of the application or the granularity of the invocation event.
一种边缘计算应用服务器，包括：An edge computing application server, including:

处理器，用于读取存储器中的程序，执行下列过程：The processor is used to read the program in the memory and execute the following process:

当边缘计算应用服务器作为AF向3GPP网络NEF请求调用时，查询UE对该调用的许可或者授权；When the edge computing application server as an AF requests a call to the 3GPP network NEF, it queries the UE's permission or authorization for the call;

在确定UE对该调用进行了许可或者授权时，向3GPP网络NEF请求调用；When it is determined that the UE has permitted or authorized the call, it requests the call to the 3GPP network NEF;

收发机，用于在处理器的控制下接收和发送数据。Transceiver, used to receive and send data under the control of the processor.
一种请求调用的处理装置，包括：A processing device for request invocation, including:

第一查询模块，用于当边缘计算应用服务器作为AF向3GPP网络NEF请求调用时，查询UE对该调用的许可或者授权；The first query module is used to query the UE's permission or authorization for the call when the edge computing application server as an AF requests a call to the 3GPP network NEF;

请求模块，用于在确定UE对该调用进行了许可或者授权时，向3GPP网络NEF请求调用。The request module is used to request the call from the 3GPP network NEF when it is determined that the UE has permitted or authorized the call.
一种NEF，包括：A type of NEF, including:

处理器，用于读取存储器中的程序，执行下列过程：The processor is used to read the program in the memory and execute the following process:

接收边缘计算应用服务器作为AF向3GPP网络NEF请求的调用，或，接收边缘计算应用服务器向3GPP网络NEF请求的携带用户许可信息的调用，或，接收边缘计算应用服务器向3GPP网络NEF请求的携带用户许可信息以及验证码的调用，其中，所述验证码是在UDM和应用层的用户信息服务器共享UE对调用的许可或者授权信息时，使用UDM和应用层的用户信息服务器共享的安全密钥计算得出的验证码；Receive the call requested by the edge computing application server from the 3GPP network NEF as the AF, or receive the call carrying user license information requested by the edge computing application server from the 3GPP network NEF, or receive the user carrying user requested by the edge computing application server from the 3GPP network NEF The call of permission information and verification code, where the verification code is calculated using the security key shared by the UDM and the user information server of the application layer when the UDM and the user information server of the application layer share the permission or authorization information of the UE for the call The obtained verification code;

查询UE对该调用的许可或者授权；Query the UE's permission or authorization for the call;

在确定UE对该调用进行了许可或者授权时，允许边缘计算应用服务器的调用；When it is determined that the UE has approved or authorized the call, the call to the edge computing application server is allowed;

收发机，用于在处理器的控制下接收和发送数据。Transceiver, used to receive and send data under the control of the processor.
一种请求调用的处理装置，包括：A processing device for request invocation, including:

第一接收模块，用于接收边缘计算应用服务器作为AF向3GPP网络NEF请求的调用，或，接收边缘计算应用服务器向3GPP网络NEF请求的携带用户许可信息的调用，或，接收边缘计算应用服务器向3GPP网络NEF请求的携带用户许可信息以及验证码的调用，其中，所述验证码是在UDM和应用层的用户信息服务器共享UE对调用的许可或者授权信息时，使用UDM和应用层的用户信息服务器共享的安全密钥计算得出的验证码；The first receiving module is used to receive the call requested by the edge computing application server from the 3GPP network NEF as the AF, or receive the call carrying user permission information requested by the edge computing application server from the 3GPP network NEF, or receive the call from the edge computing application server to the 3GPP network NEF. 3GPP network NEF requests to carry user permission information and verification code calls, where the verification code is to use UDM and application layer user information when UDM and application layer user information server share UE’s permission or authorization information for the call The verification code calculated from the security key shared by the server;

第二查询模块，用于查询UE对该调用的许可或者授权；The second query module is used to query the UE's permission or authorization for the call;

调用模块，用于在确定UE对该调用进行了许可或者授权时，允许边缘计算应用服务器的调用。The calling module is used to allow the edge computing application server to be called when it is determined that the UE has approved or authorized the calling.
一种通信设备，位于UDM或UDR，包括：A communication device located in UDM or UDR, including:

处理器，用于读取存储器中的程序，执行下列过程：The processor is used to read the program in the memory and execute the following process:

UDM或UDR接收NEF对调用的查询，所述查询是查询该调用是否是UE许可或者授权的调用；The UDM or UDR receives NEF's query on the call, and the query is to query whether the call is a call permitted or authorized by the UE;

UDM或UDR根据用户授权配置确定该调用是否是UE许可或者授权的调用，并将确定结果反馈NEF；UDM or UDR determines whether the call is authorized or authorized by the UE according to the user authorization configuration, and feeds the determination result back to NEF;

收发机，用于在处理器的控制下接收和发送数据。Transceiver, used to receive and send data under the control of the processor.
一种通信设备，位于UDM或UDR，包括：A communication device located in UDM or UDR, including:

第二接收模块，用于接收NEF对调用的查询，所述查询是查询该调用是否是UE许可或者授权的调用；The second receiving module is configured to receive a query from NEF to a call, and the query is to query whether the call is a call permitted or authorized by the UE;

授权确认模块，用于根据用户授权配置确定该调用是否是UE许可或者授权的调用，并将确定结果反馈NEF。The authorization confirmation module is used to determine whether the call is a call authorized or authorized by the UE according to the user authorization configuration, and feed the determination result back to the NEF.
一种终端设备，包括：A terminal device, including:

处理器，用于读取存储器中的程序，执行下列过程：The processor is used to read the program in the memory and execute the following process:

确定用户许可或者授权的APP调用；Confirm the APP call permitted or authorized by the user;

根据用户许可或者授权的APP调用信息确定用户授权配置信息；Determine the user authorization configuration information according to the user's permission or authorized APP call information;

将所述用户授权配置信息发送至边缘计算使能服务器；Sending the user authorization configuration information to the edge computing enabling server;

收发机，用于在处理器的控制下接收和发送数据。Transceiver, used to receive and send data under the control of the processor.
一种调用授权装置，包括：A calling authorization device, including:

第一确定模块，用于确定用户许可或者授权的APP调用；The first determining module is used to determine the APP call permitted or authorized by the user;

配置模块，用于根据用户许可或者授权的APP调用信息确定用户授权配置信息；The configuration module is used to determine the user authorization configuration information according to the APP call information permitted or authorized by the user;

第一发送模块，用于将所述用户授权配置信息发送至边缘计算使能服务器。The first sending module is configured to send the user authorization configuration information to the edge computing enabling server.
一种边缘计算使能服务器，包括：An edge computing enabling server, including:

处理器，用于读取存储器中的程序，执行下列过程：The processor is used to read the program in the memory and execute the following process:

接收UE发送的用户授权配置信息，所述用户授权配置信息中包含了用户许可或者授权的APP调用信息；Receiving user authorization configuration information sent by the UE, where the user authorization configuration information contains APP invocation information permitted or authorized by the user;

将所述用户授权配置信息发送至网络侧设备，用以供NEF查询调用的许可或者授权；Sending the user authorization configuration information to the network side device for NEF to query and call the license or authorization;

收发机，用于在处理器的控制下接收和发送数据。Transceiver, used to receive and send data under the control of the processor.
一种调用授权的处理装置，包括：A processing device for calling authorization, including:

第三接收模块，用于接收UE发送的用户授权配置信息，所述用户授权配置信息中包含了用户许可或者授权的APP调用信息；The third receiving module is configured to receive user authorization configuration information sent by the UE, where the user authorization configuration information contains APP invocation information permitted or authorized by the user;

第二发送模块，用于将所述用户授权配置信息发送至网络侧设备，用以供NEF查询调用的许可或者授权。The second sending module is used to send the user authorization configuration information to the network side device for NEF to query and call the permission or authorization.
一种通信设备，其中，位于以下设备UDM、UDR、应用层的用户信息服务器或NEF，包括：A communication device, wherein the user information server or NEF located at the UDM, UDR, and application layer of the following devices includes:

处理器，用于读取存储器中的程序，执行下列过程：The processor is used to read the program in the memory and execute the following process:

接收边缘计算使能服务器发送的用户授权配置信息，所述用户授权配置信息中包含了用户许可或者授权的APP调用信息；Receiving user authorization configuration information sent by the edge computing enabling server, where the user authorization configuration information contains APP invocation information permitted or authorized by the user;

接收NEF发送的对调用的查询，所述查询是查询该调用是否是UE许可或者授权的调用；Receive a query for a call sent by NEF, where the query is to query whether the call is a call permitted or authorized by the UE;

根据所述用户授权配置确定该调用是否是UE许可或者授权的调用；Determining whether the call is a call authorized or authorized by the UE according to the user authorization configuration;

收发机，用于在处理器的控制下接收和发送数据。Transceiver, used to receive and send data under the control of the processor.
一种调用授权的处理装置，包括：A processing device for calling authorization, including:

第四接收模块，用于接收边缘计算使能服务器发送的用户授权配置信息，所述用户授权配置信息中包含了用户许可或者授权的APP调用信息；The fourth receiving module is configured to receive user authorization configuration information sent by the edge computing enabling server, where the user authorization configuration information includes APP invocation information permitted or authorized by the user;

第五接收模块，用于接收NEF发送的对调用的查询，所述查询是查询该调用是否是UE许可或者授权的调用；The fifth receiving module is configured to receive a query for a call sent by NEF, where the query is to query whether the call is a call permitted or authorized by the UE;

第二确定模块，用于根据所述用户授权配置确定该调用是否是UE许可或者授权的调用。The second determining module is configured to determine whether the call is a call permitted or authorized by the UE according to the user authorization configuration.
一种计算机可读存储介质，其中，所述计算机可读存储介质存储有执行权利要求1至17任一所述方法的程序。A computer-readable storage medium, wherein the computer-readable storage medium stores a program for executing the method described in any one of claims 1 to 17.