FORM 2
THE PATENTS ACT, 1970 (39 OF 1970) & THE PATENT RULES, 2003
COMPLETE SPECIFICATION
(See section 10 and rule 13)
“METHOD AND SYSTEM FOR AUTHENTICATION OF ONE
OR MORE THIRD-PARTY APPLICATIONS IN A
COMMUNICATION SYSTEM”
We, Jio Platforms Limited, an Indian National, of Office - 101, Saffron, Nr. Centre Point, Panchwati 5 Rasta, Ambawadi, Ahmedabad - 380006, Gujarat, India.
The following specification particularly describes the invention and the manner in which it is to be performed.

METHOD AND SYSTEM FOR AUTHENTICATION OF ONE OR MORE THIRD-PARTY APPLICATIONS IN A COMMUNICATION SYSTEM
FIELD OF INVENTION
[0001] Embodiments of the present disclosure generally relate to network performance management systems. More particularly, embodiments of the present disclosure relate to a method and system for authentication of one or more third-party applications in a communication system.
BACKGROUND
[0002] The following description of the related art is intended to provide background information pertaining to the field of the disclosure. This section may include certain aspects of the art that may be related to various features of the present disclosure. However, it should be appreciated that this section is used only to enhance the understanding of the reader with respect to the present disclosure, and not as admissions of the prior art.
[0003] Wireless communication technology has rapidly evolved over the past few decades, with each generation bringing significant improvements and advancements. The first generation of wireless communication technology was based on analog technology and offered only voice services. However, with the advent of the second-generation (2G) technology, digital communication and data services became possible, and text messaging was introduced. 3G technology marked the introduction of high-speed internet access, mobile video calling, and location-based services. The fourth-generation (4G) technology revolutionized wireless communication with faster data speeds, better network coverage, and improved security. Currently, the fifth-generation (5G) technology is being deployed, promising even faster data speeds, low latency, and the ability to connect multiple devices simultaneously. With each generation, wireless communication

technology has become more advanced, sophisticated, and capable of delivering more services to its users.
[0004] In 5G communication system, Common API Framework (CAPIF) acts as core keystone element in the realization of 5G openness connectivity since it authenticates and authorizes secure exposure of 5G core application programming interfaces (APIs) to third-party domains and enables third parties to define and expose their own APIs. CAPIF performs first-hand TLS security and provides authentication and authorization of API invoker (third party domain). In conventional way, the CAPIF architecture consists of API exposing function which provides the service API’s and acts as an entry point for the service API which is triggered from public network. CAPIF generates and assigns token to API invoker which is validated by the API Exposure function along with feature functionality. This system architecture for supporting third-party domain API has limited security features and there may be chances of unwanted threats and attacks towards the service provider network from third party domain. For an example, when API invoker directly sends traffic on API Exposure function from the public network, any malicious user can send malware traffic on the network or can perform DoS attack, which can impact the CAPIF or NF performance.
[0005] Thus, there exists an imperative need in the art to provide an efficient system and method for for authentication of one or more third-party applications in a communication system enabling a secure way of providing communication establishment between third-party API and service provider network in 5G communication system.
SUMMARY
[0006] This section is provided to introduce certain aspects of the present disclosure in a simplified form that are further described below in the detailed description.

This summary is not intended to identify the key features or the scope of the claimed subject matter.
[0007] An aspect of the present disclosure may relate to a method for authentication of one or more third-party applications in a communication system. The method includes receiving, at an API Exposure function (AEF), an enrolment request message from an API invoker via an Edge Load Balancer (ELB), wherein enrolment request message further comprises an authentication request to access a network exposure function. The method further includes generating, by the ELB, a security token for the enrolment request message. The method further includes transmitting, by the ELB, the security token to the API invoker. The method further includes establishing a secure connection between the ELB and the API invoker. The method further includes receiving, by the ELB, an incoming request for an API Exposure function from the API invoker. Finally, the method includes authenticating, by the ELB, the incoming request from the API invoker.
[0008] In an exemplary aspect of the present disclosure, the method further comprises configuring, by the ELB, one or more common API Exposure function (AEF) for authentication of one or more third-party applications.
[0009] In an exemplary aspect of the present disclosure, the method further comprises load balancing, by the processing unit, the incoming requests in a round robin fashion.
[0010] In an exemplary aspect of the present disclosure, the method further comprises initiating, by the API invoker, a TLS connection with the ELB. The method further comprises transmitting, by API invoker, a service API request to the ELB, wherein the service API request comprises of a token.
[0011] In an exemplary aspect of the present disclosure, the method further comprises matching, by the processing unit, the token of the service API request

with the security token. The method further comprises validating, by the ELB, the API invoker based on the matching.
[0012] Another aspect of the present disclosure may relate to a system for authentication of one or more third-party applications in a communication system. The system comprises an API Exposure function (AEF) configured to receive an enrolment request message from an API invoker via an Edge Load Balancer (ELB), wherein enrolment request message further comprises an authentication request to access a network exposure function. The system further comprises the Edge Load Balancer (ELB) configured to generate a security token for the enrolment request message; transmit the security token to the API invoker; establish a secure connection between the ELB and the API invoker; receive an incoming request for an API Exposure function from the API invoker; and authenticate the incoming request from the API invoker.
[0013] Yet another aspect of the present disclosure may relate to a non-transitory computer readable storage medium storing instruction for authentication of one or more third-party applications in a communication system, the instructions include executable code which, when executed by one or more units of a system, causes: an API Exposure function (AEF) configured to receive an enrolment request message from an API invoker via an Edge Load Balancer (ELB), wherein enrolment request message further comprises an authentication request to access a network exposure function. Further, the instructions when executed causes the Edge Load Balancer (ELB) configured to generate a security token for the enrolment request message. Further, the instructions when executed causes the Edge Load Balancer (ELB) configured to transmit the security token to the API invoker. Further, the instructions when executed causes the Edge Load Balancer (ELB) configured to establish a secure connection between the ELB and the API invoker. Further, the instructions when executed causes the Edge Load Balancer (ELB) configured to receive an incoming request for an API Exposure function from the API invoker.

Further, the instructions when executed causes the Edge Load Balancer (ELB) configured to authenticate the incoming request from the API invoker.
OBJECTS OF THE INVENTION
[0014] Some of the objects of the present disclosure, which at least one embodiment disclosed herein satisfies are listed herein below.
[0015] It is an object of the present disclosure to provide for authentication of one or more third-party applications in a communication system.
[0016] It is another object of the present disclosure to provide for authentication of one or more third-party applications in a communication system by introducing edge load balancer ahead CAPIF framework, which authenticates and authorises the API invoker or consumer (such as third party) using TLS connection and sharing security token method for accessing any service request in service provider communication network.
[0017] It is another object of the present disclosure to provide a system and a method for providing scalability to CAPIF by introducing ELB load balancer ahead CAPIF.
DESCRIPTION OF THE DRAWINGS
[0018] The accompanying drawings, which are incorporated herein, and constitute a part of this disclosure, illustrate exemplary embodiments of the disclosed methods and systems in which like reference numerals refer to the same parts throughout the different drawings. Components in the drawings are not necessarily to scale, emphasis instead being placed upon clearly illustrating the principles of the present disclosure. Also, the embodiments shown in the figures are not to be construed as limiting the disclosure, but the possible variants of the method and system according to the disclosure are illustrated herein to highlight the advantages of the

disclosure. It will be appreciated by those skilled in the art that disclosure of such drawings includes disclosure of electrical components or circuitry commonly used to implement such components.
5 [0019] FIG. 1 illustrates an exemplary block diagram representation of 5th generation core (5GC) network architecture.
[0020] FIG. 2 illustrates an exemplary block diagram of a computing device upon
which the features of the present disclosure may be implemented in accordance with
10 exemplary implementation of the present disclosure.
[0021] FIG. 3 illustrates an exemplary block diagram of a system for authentication
of one or more third-party applications in a communication system, in accordance
with exemplary implementations of the present disclosure.
15
[0022] FIG. 4 illustrates a method flow diagram for authentication of one or more
third-party applications in a communication system in accordance with exemplary
implementations of the present disclosure.
20 [0023] FIG. 5 illustrates an architecture of a system for authentication of one or more third-party applications in a communication system in accordance with exemplary implementations of the present disclosure.
[0024] The foregoing shall be more apparent from the following more detailed
25 description of the disclosure.
DETAILED DESCRIPTION
[0025] In the following description, for the purposes of explanation, various
30 specific details are set forth in order to provide a thorough understanding of
embodiments of the present disclosure. It will be apparent, however, that
embodiments of the present disclosure may be practiced without these specific
details. Several features described hereafter may each be used independently of one
7

another or with any combination of other features. An individual feature may not address any of the problems discussed above or might address only some of the problems discussed above.
5 [0026] The ensuing description provides exemplary embodiments only, and is not
intended to limit the scope, applicability, or configuration of the disclosure. Rather,
the ensuing description of the exemplary embodiments will provide those skilled in
the art with an enabling description for implementing an exemplary embodiment.
It should be understood that various changes may be made in the function and
10 arrangement of elements without departing from the spirit and scope of the
disclosure as set forth.
[0027] Specific details are given in the following description to provide a thorough
understanding of the embodiments. However, it will be understood by one of
15 ordinary skill in the art that the embodiments may be practiced without these
specific details. For example, circuits, systems, processes, and other components may be shown as components in block diagram form in order not to obscure the embodiments in unnecessary detail.
20 [0028] Also, it is noted that individual embodiments may be described as a process which is depicted as a flowchart, a flow diagram, a data flow diagram, a structure diagram, or a block diagram. Although a flowchart may describe the operations as a sequential process, many of the operations may be performed in parallel or concurrently. In addition, the order of the operations may be re-arranged. A process
25 is terminated when its operations are completed but could have additional steps not
included in a figure.
[0029] The word “exemplary” and/or “demonstrative” is used herein to mean
serving as an example, instance, or illustration. For the avoidance of doubt, the
30 subject matter disclosed herein is not limited by such examples. In addition, any
aspect or design described herein as “exemplary” and/or “demonstrative” is not
8

necessarily to be construed as preferred or advantageous over other aspects or
designs, nor is it meant to preclude equivalent exemplary structures and techniques
known to those of ordinary skill in the art. Furthermore, to the extent that the terms
“includes,” “has,” “contains,” and other similar words are used in either the detailed
5 description or the claims, such terms are intended to be inclusive—in a manner
similar to the term “comprising” as an open transition word—without precluding any additional or other elements.
[0030] As used herein, a “processing unit” or “processor” or “operating processor”
10 includes one or more processors, wherein processor refers to any logic circuitry for
processing instructions. A processor may be a general-purpose processor, a special purpose processor, a conventional processor, a digital signal processor, a plurality of microprocessors, one or more microprocessors in association with a (Digital Signal Processing) DSP core, a controller, a microcontroller, Application Specific
15 Integrated Circuits, Field Programmable Gate Array circuits, any other type of
integrated circuits, etc. The processor may perform signal coding data processing, input/output processing, and/or any other functionality that enables the working of the system according to the present disclosure. More specifically, the processor or processing unit is a hardware processor.
20
[0031] As used herein, “a user equipment”, “a user device”, “a smart-user-device”, “a smart-device”, “an electronic device”, “a mobile device”, “a handheld device”, “a wireless communication device”, “a mobile communication device”, “a communication device” may be any electrical, electronic and/or computing device
25 or equipment, capable of implementing the features of the present disclosure. The
user equipment/device may include, but is not limited to, a mobile phone, smart phone, laptop, a general-purpose computer, desktop, personal digital assistant, tablet computer, wearable device or any other computing device which is capable of implementing the features of the present disclosure. Also, the user device may
30 contain at least one input means configured to receive an input from at least one of
9

a transceiver unit, a processing unit, a storage unit, a detection unit and any other such unit(s) which are required to implement the features of the present disclosure.
[0032] As used herein, “storage unit” or “memory unit” refers to a machine or
5 computer-readable medium including any mechanism for storing information in a
form readable by a computer or similar machine. For example, a computer-readable
medium includes read-only memory (“ROM”), random access memory (“RAM”),
magnetic disk storage media, optical storage media, flash memory devices or other
types of machine-accessible storage media. The storage unit stores at least the data
10 that may be required by one or more units of the system to perform their respective
functions.
[0033] As used herein “interface” or “user interface refers to a shared boundary
across which two or more separate components of a system exchange information
15 or data. The interface may also be referred to a set of rules or protocols that define
communication or interaction of one or more modules or one or more units with each other, which also includes the methods, functions, or procedures that may be called.
20 [0034] All modules, units, components used herein, unless explicitly excluded herein, may be software modules or hardware processors, the processors being a general-purpose processor, a special purpose processor, a conventional processor, a digital signal processor (DSP), a plurality of microprocessors, one or more microprocessors in association with a DSP core, a controller, a microcontroller,
25 Application Specific Integrated Circuits (ASIC), Field Programmable Gate Array
circuits (FPGA), any other type of integrated circuits, etc.
[0035] As used herein the transceiver unit include at least one receiver and at least
one transmitter configured respectively for receiving and transmitting data, signals,
30 information, or a combination thereof between units/components within the system
and/or connected with the system.
10

[0036] As used herein, API stands for application programming interface, which is a set of definitions and protocols for building and integrating application software.
[0037] As used herein, API exposure function (AEF) in 5G, refers to the ability of
5 developers and third-party applications to access and utilize the functionalities and
services offered by the 5G network.
[0038] As used herein, CAPIF stands for Common API framework and it was
developed by 3GPP to enable a unified Northbound API framework across 3GPP
10 network functions, and to ensure that there is a single and harmonized approach for
API development. In an exemplary aspect, API exposure function (AEF) is a one
of component of common API framework (CAPIF).
[0039] As used herein, a public load balancer can provide outbound connections
15 for virtual machines (VMs) inside your virtual network. These connections are
accomplished by translating their private IP addresses to public IP addresses. Public Load Balancers are used to load balance internet traffic to your VMs.
[0040] As used herein, the edge load balancer distributes incoming service requests
20 evenly among multiple servers in such a way that the load distribution is transparent
to users.
[0041] As used herein, API invoker enables user to make a remote function call to
query a list of function modules and interact with the modules using a database for
25 local storage.
[0042] As discussed in the background section, the current known solutions have
several shortcomings. The present disclosure aims to overcome the above-
mentioned and other existing problems in this field of technology by providing
30 method and system for authentication of one or more third-party applications in a
communication system.
11

[0043] FIG. 1 illustrates an exemplary block diagram representation of 5th
generation core (5GC) network architecture, in accordance with exemplary
implementation of the present disclosure. As shown in FIG. 1, the 5GC network
architecture [100] includes a user equipment (UE) [102], a radio access network
5 (RAN) [104], an access and mobility management function (AMF) [106], a Session
Management Function (SMF) [108], a Service Communication Proxy (SCP) [110], an Authentication Server Function (AUSF) [112], a Network Slice Specific Authentication and Authorization Function (NSSAAF) [114], a Network Slice Selection Function (NSSF) [116], a Network Exposure Function (NEF) [118],
10 common API framework (CAPIF) [118a], API exposure function (AEF) [118b], a
Network Repository Function (NRF) [120], a Policy Control Function (PCF) [122], a Unified Data Management (UDM) [124], an application function (AF) [126], a User Plane Function (UPF) [128], a data network (DN) [130], wherein all the components are assumed to be connected to each other in a manner as obvious to
15 the person skilled in the art for implementing features of the present disclosure.
[0044] Radio Access Network (RAN) [104] is the part of a mobile
telecommunications system that connects user equipment (UE) [102] to the core
network (CN) and provides access to different types of networks (e.g., 5G network).
20 It consists of radio base stations and the radio access technologies that enable
wireless communication.
[0045] Access and Mobility Management Function (AMF) [106] is a 5G core
network function responsible for managing access and mobility aspects, such as UE
25 registration, connection, and reachability. It also handles mobility management
procedures like handovers and paging.
[0046] Session Management Function (SMF) [108] is a 5G core network function
responsible for managing session-related aspects, such as establishing, modifying,
30 and releasing sessions. It coordinates with the User Plane Function (UPF) for data
forwarding and handles IP address allocation and QoS enforcement.
12

[0047] Service Communication Proxy (SCP) [110] is a network function in the 5G core network that facilitates communication between other network functions by providing a secure and efficient messaging service. It acts as a mediator for service-based interfaces. 5
[0048] Authentication Server Function (AUSF) [112] is a network function in the 5G core responsible for authenticating UEs during registration and providing security services. It generates and verifies authentication vectors and tokens.
10 [0049] Network Slice Specific Authentication and Authorization Function (NSSAAF) [114] is a network function that provides authentication and authorization services specific to network slices. It ensures that UEs can access only the slices for which they are authorized.
15 [0050] Network Slice Selection Function (NSSF) [116] is a network function responsible for selecting the appropriate network slice for a UE based on factors such as subscription, requested services, and network policies.
[0051] Network Exposure Function (NEF) [118] is a network function that exposes
20 capabilities and services of the 5G network to external applications, enabling
integration with third-party services and applications.
[0052] CAPIF [118a] is a network framework that was developed by 3GPP to
enable a unified Northbound API framework across 3GPP network functions, and
25 to ensure that there is a single and harmonized approach for API development.
[0053] AEF [118b] in 5G, refers to the ability of developers and third-party
applications to access and utilize the functionalities and services offered by the 5G
network. In an exemplary aspect, API exposure function (AEF) [118b] is a one of
30 component of common API framework (CAPIF) [118a].
13

[0054] Network Repository Function (NRF) [120] is a network function that acts as a central repository for information about available network functions and services. It facilitates the discovery and dynamic registration of network functions.
5 [0055] Policy Control Function (PCF) [122] is a network function responsible for policy control decisions, such as QoS, charging, and access control, based on subscriber information and network policies.
[0056] Unified Data Management (UDM) [124] is a network function that
10 centralizes the management of subscriber data, including authentication,
authorization, and subscription information.
[0057] Application Function (AF) [126] is a network function that represents
external applications interfacing with the 5G core network to access network
15 capabilities and services.
[0058] User Plane Function (UPF) [128] is a network function responsible for
handling user data traffic, including packet routing, forwarding, and QoS
enforcement.
20
[0059] Data Network (DN) [130] refers to a network that provides data services to
user equipment (UE) in a telecommunications system. The data services may
include but are not limited to Internet services, private data network related services.
25 [0060] FIG. 2 illustrates an exemplary block diagram of a computing device [200]
(also referred to herein as a computer system [200]) upon which the features of the
present disclosure may be implemented in accordance with exemplary
implementation of the present disclosure. In an implementation, the computing
device [200] may also implement a method for authentication of one or more third-
30 party applications in a communication system utilising the system. In another
implementation, the computing device [200] itself implements the method for
authentication of one or more third-party applications in a communication system
using one or more units configured within the computing device [200], wherein said
14

one or more units are capable of implementing the features as disclosed in the present disclosure.
[0061] The computing device [200] may include a bus [202] or other
5 communication mechanism for communicating information, and a processor [204]
coupled with bus [202] for processing information. The processor [204] may be, for example, a general-purpose microprocessor. The computing device [200] may also include a main memory [206], such as a random-access memory (RAM), or other dynamic storage device, coupled to the bus [202] for storing information and
10 instructions to be executed by the processor [204]. The main memory [206] also
may be used for storing temporary variables or other intermediate information during execution of the instructions to be executed by the processor [204]. Such instructions, when stored in non-transitory storage media accessible to the processor [204], render the computing device [200] into a special-purpose machine that is
15 customized to perform the operations specified in the instructions. The computing
device [200] further includes a read only memory (ROM) [208] or other static storage device coupled to the bus [202] for storing static information and instructions for the processor [204].
20 [0062] A storage device [210], such as a magnetic disk, optical disk, or solid-state drive is provided and coupled to the bus [202] for storing information and instructions. The computing device [200] may be coupled via the bus [202] to a display [212], such as a cathode ray tube (CRT), Liquid crystal Display (LCD), Light Emitting Diode (LED) display, Organic LED (OLED) display, etc. for
25 displaying information to a computer user. An input device [214], including
alphanumeric and other keys, touch screen input means, etc. may be coupled to the bus [202] for communicating information and command selections to the processor [204]. Another type of user input device may be a cursor controller [216], such as a mouse, a trackball, or cursor direction keys, for communicating direction
30 information and command selections to the processor [204], and for controlling
cursor movement on the display [212]. This input device typically has two degrees
15

of freedom in two axes, a first axis (e.g., x) and a second axis (e.g., y), that allow the device to specify positions in a plane.
[0063] The computing device [200] may implement the techniques described
5 herein using customized hard-wired logic, one or more ASICs or FPGAs, firmware,
and/or program logic which in combination with the computing device [200] causes or programs the computing device [200] to be a special-purpose machine. According to one implementation, the techniques herein are performed by the computing device [200] in response to the processor [204] executing one or more
10 sequences of one or more instructions contained in the main memory [206]. Such
instructions may be read into the main memory [206] from another storage medium, such as the storage device [210]. Execution of the sequences of instructions contained in the main memory [206] causes the processor [204] to perform the process steps described herein. In alternative implementations of the present
15 disclosure, hard-wired circuitry may be used in place of or in combination with
software instructions.
[0064] The computing device [200] also may include a communication interface
[218] coupled to the bus [202]. The communication interface [218] provides a two-
20 way data communication coupling to a network link [220] that is connected to a
local network [222]. For example, the communication interface [218] may be an
integrated services digital network (ISDN) card, cable modem, satellite modem, or
a modem to provide a data communication connection to a corresponding type of
telephone line. As another example, the communication interface [218] may be a
25 local area network (LAN) card to provide a data communication connection to a
compatible LAN. Wireless links may also be implemented. In any such
implementation, the communication interface [218] sends and receives electrical,
electromagnetic, or optical signals that carry digital data streams representing
various types of information.
30
[0065] The computing device [200] can send messages and receive data, including
program code, through the network(s), the network link [220] and the
16

communication interface [218]. In the Internet example, a server [230] might
transmit a requested code for an application program through the Internet [228], the
ISP [226], the local network [222], host [224] and the communication interface
[218]. The received code may be executed by the processor [204] as it is received,
5 and/or stored in the storage device [210], or other non-volatile storage for later
execution.
[0066] The computing device [200] encompasses a wide range of electronic devices capable of processing data and performing computations. Examples of
10 computing device [200] include, but are not limited only to, personal computers,
laptops, tablets, smartphones, servers, and embedded systems. The devices may operate independently or as part of a network and can perform a variety of tasks such as data storage, retrieval, and analysis. Additionally, computing device [200] may include peripheral devices, such as monitors, keyboards, and printers, as well
15 as integrated components within larger electronic systems, showcasing their
versatility in various technological applications.
[0067] Referring to FIG. 3, an exemplary block diagram of a system [300] for authentication of one or more third-party applications in a communication system,
20 is shown, in accordance with the exemplary implementations of the present
disclosure. The system [300] comprises at least one API Exposure function (AEF) [118b], at least one API invoker [304], and at least one Edge Load Balancer (ELB) [306] (alternatively referred to as ELB [306] herein), at least one transceiver unit [308], at least one generating unit [310], at least one processing unit [312], and at
25 least one authenticating unit [314]. Also, all of the components/ units of the system
[300] are assumed to be connected to each other unless otherwise indicated below. As shown in the figures all units shown within the system should also be assumed to be connected to each other. Also, in FIG. 3 only a few units are shown, however, the system [300] may comprise multiple such units or the system [300] may
30 comprise any such numbers of said units, as required to implement the features of
the present disclosure.
17

[0068] The system [300] is configured for authentication of one or more third-party applications in a communication system, with the help of the interconnection between the components/units of the system [300].
5 [0069] The system [300] comprises the ELB [306]. The ELB [306] includes the transceiver unit [308] which is configured to receive an enrolment request message, wherein the enrolment request message further comprises an authentication request to access one or more network functions. For example, a third-party developer has created an application that needs to interact with the telecom operator’s network
10 services. The application, acting as the API invoker [304], sends an enrolment
request to the AEF [118b] through the ELB [306]. The enrolment request not only indicates the application’s intent to use the network services but also includes an authentication request to ensure that only legitimate and secure applications can access these services. In an exemplary aspect, API exposure function (AEF) [118b]
15 is one of the components of common API framework (CAPIF). In an exemplary
aspect, ELB can be deployed in public domain to receive requests from public network as well as in private network for internal communication. Therefore, the terms ELB and Public ELB are used interchangeably in the present disclosure.
20 [0070] The ELB [306] comprises the generating unit [310] communicatively coupled to the transceiver unit [308]. The generating unit [310] is configured to generate a security token for the enrolment request message to enhance the security and integrity of the communication process. When an API invoker [304] sends an enrolment request message, this message first arrives at the generating unit [310] at
25 the ELB [306]. The enrolment request message typically includes details about the
API invoker [304] and an authentication request to access the network exposure function. Upon receiving this enrolment request, the ELB [306] generates a unique security token. The security token such as but not limited to open authorization (OAuth) token, acts as a digital fingerprint, uniquely identifying the request and the
30 API invoker [304].
18

[0071] In an exemplary aspect, a third-party application (API invoker) needs to
access a service API provided by a network operator. The ELB [306] acts as an
intermediary. For example, when the API invoker sends an enrolment request to
access a network service, the ELB first establishes a secure TLS connection and
5 generates an OAuth-based security token. The token is then included in every
service API request from the invoker. Before any request reaches the CAPIF, the
ELB [306] validates the token, ensuring only authenticated and authorized traffic
proceeds. Additionally, the ELB [306] can distribute incoming requests across
multiple CAPIF instances, optimizing load handling and enhancing scalability.
10 Thus, if an invoker tries to flood the network with malicious traffic, the ELB can
block such attempts, safeguarding the network and ensuring smooth, secure operation of legitimate API requests.
[0072] The transceiver unit [308] at the Edge Load Balancer (ELB) [306] further
15 comprises is further configured to transmit the security token to the API invoker
[304]. Upon generating the token, the generating unit [310] at the ELB [306]
encapsulates the security token within a response message. The response message
is formatted according to predefined communication protocols to ensure
compatibility and security. For example, the generating unit [310] at the ELB [306]
20 might use HTTPS (Hypertext Transfer Protocol Secure) to encrypt the message,
ensuring that the token cannot be intercepted or tampered with during transmission.
For example, a third-party application, acting as the API invoker [304], sends an
enrolment request to the ELB [306]. After processing this request and generating
the security token, the generating unit [310] at the ELB [306] constructs a response
25 message that includes the token. This message is encrypted using TLS (Transport
Layer Security) to protect the integrity and confidentiality of the token. The
encrypted message is then sent back by the transceiver unit [308] to the API invoker
[304] over a secure channel.
30 [0073] The Edge Load Balancer (ELB) [306] includes the processing unit [312], which is connected at least to the transceiver unit [308]. The processing unit [312] is further configured to establish a secure connection between the ELB [306] and
19

the API invoker [304]. The secure connection ensures that all data exchanged
between the API invoker [304] and the ELB [306] is protected from unauthorized
access and tampering. The processing unit [312] at the ELB [306] utilizes Transport
Layer Security (TLS) protocols, which provide robust encryption and
5 authentication mechanisms. When the API invoker [304] first sends an enrolment
request to the ELB [306], the processing unit [312] at the ELB [306] initiates the
TLS handshake process. The TLS handshake process begins with the ELB [306]
sending a digital certificate to the API invoker [304]. The digital certificate contains
the ELB's [306] public key and is issued by a trusted Certificate Authority (CA),
10 ensuring its authenticity. The API invoker [304] verifies the certificate using the
CA’s public key, confirming the ELB's [306] identity.
[0074] The transceiver unit [308] at the Edge Load Balancer (ELB) [306] is further configured to receive an incoming request for an API Exposure function from the
15 API invoker [304]. Once the secure connection is established and the API invoker
[304] has received the security token, the API invoker [304] begins to send an API request (such as the incoming request) to access specific network services. The requests are sent to the transceiver unit [308] at the ELB [306], which acts as an intermediary between the API invoker [304] and the AEF [118b]. When the API
20 invoker [304] sends the API request (such as the incoming request). The API
request (such as the incoming request) includes the security token previously issued by the generating unit [310] at the ELB [306], as well as specific details about the API service being requested. For example, if the API invoker [304] is a third-party application that needs to access a telecom operator's billing service, the request will
25 specify the billing API endpoint and include necessary parameters such as user
identification and billing information.
[0075] The Edge Load Balancer (ELB) [306] includes the authenticating unit [314],
which is connected at least to the transceiver unit [308]. The authenticating unit
30 [314] is configured to authenticate the incoming request from the API invoker
[304]. Authentication ensure that only authorized API invokers [304] can access
the network services and that their requests are legitimate. When the authenticating
20

unit [314] at the ELB [306] receives the request, it first decrypts the communication
using the session key established during the TLS handshake, ensuring that the data
has not been altered in transit. Following decryption, the extracts the security token
included in the request. This token was previously issued to the API invoker during
5 the enrolment process and serves as a unique identifier for authentication purposes.
For example, an API invoker [304], such as a third-party application providing
weather updates, sends a request to access the network's weather data API. The
request includes a security token issued during the initial authentication phase. The
ELB [306] extracts this token from the request and proceeds to validate it. In an
10 exemplary aspect, the security token such as but not limited to OAuth token,
contains the consumer identity details and security token expiry details. The ELB [306] has the logic to extract these details from the security token in order to validate it.
15 [0076] The processing unit [312] at the ELB [306] is further configured to set up one or more API Exposure functions (AEF) [118b] for authenticating multiple third-party applications. For example, a telecom operator offers various network services accessed via APIs. Third-party applications, such as a billing software, a customer management tool, and an analytics dashboard, need secure access. When
20 a new application, like an IoT device management platform, sends an enrolment
request, the processing unit [312] at the ELB [306] configures the AEF [118b] instance to handle its authentication and service requests.
[0077] The Edge Load Balancer (ELB) [306] is further configured to load balance
25 the incoming requests in a round-robin fashion. In an exemplary aspect, ELB is
further configured load balance the incoming request. For example, imagine there
are three AEF [118b] instances: AEF-1, AEF-2, and AEF-3. When the first request
comes in, the ELB [306] directs it to AEF-1. The second request goes to AEF-2,
and the third to AEF-3. When the fourth request arrives, it is routed back to AEF-
30 1, and the cycle continues. This method ensures that each AEF [118b] instance
21

handles an equal number of requests, preventing any single instance from becoming overloaded.
[0078] The processing unit [312] at the ELB [306] is further configured to load
5 balance the incoming request between available API Exposure function based on
the context-based routing defined in it. The ELB [306] establishes a secure TLS connection and generates OAuth-based security tokens and performs context-based routing to balance incoming requests across available API Exposure Function (AEF) [118b]. The processing unit [312] at the ELB [306] directs requests to
10 different AEF instances based on predefined routing criteria, optimizing resource
use, and ensuring efficient handling of requests. For example, if an API invoker sends multiple service API requests, the ELB assesses each request's context, such as type, source, or load, and routes it to the most appropriate AEF instance. The context-based routing prevents any single AEF from becoming a bottleneck,
15 thereby maintaining high performance and reliability of the network services. For
example, if there are three AEF instances and one is handling high-priority traffic, the ELB might route new requests to the other two instances to balance the load effectively.
20 [0079] The API invoker [304] is further configured to initiate a TLS connection with the ELB [306]; and transmit a service API request to the ELB [306], wherein the service API request comprises a token. For example, a third-party application (such as API invoker [304]) first establishes a secure TLS connection with the ELB [306] to ensure encrypted communication. Once the secure connection is
25 established, the application sends a service API request to access specific network
services. This request includes a security token that was previously issued during the enrolment process. The token authenticates the request, allowing the ELB [306] to verify the identity and legitimacy of the API invoker [304] before processing the request.
30
22

[0080] The ELB [306] is further configured to match the token of the service API
request with the security token; and validate the API invoker [304] based on the
matching. For example, when a service API request arrives from an API invoker
[304], it includes a security token. The ELB [306] compares this token with the
5 security token previously issued to the API invoker [304] during the enrolment
process. If the tokens match, the ELB [306] validates the API invoker [304], confirming its identity and legitimacy. This ensures that only authenticated and authorized requests are processed, maintaining the security of the network services.
10 [0081] Referring to FIG. 4, an exemplary method flow diagram [400] for authentication of one or more third-party applications in a communication system, in accordance with exemplary implementations of the present disclosure is shown. In an implementation the method [400] is performed by the system [300]. Further, in an implementation, the method [400] may be implemented by the system [300]
15 to implement the features of the present disclosure. Also, as shown in FIG. 4, the
method [400] starts at step [402].
[0082] At step 404, the method [400] comprises receiving, by a transceiver unit [308] at an Edge Load Balancer (ELB) [306], an enrolment request message from
20 an API invoker [304], wherein enrolment request message further comprises an
authentication request to access a network exposure function. For example, a third-party developer has created an application that needs to interact with the telecom operator’s network services. The application, acting as the API invoker [304], sends an enrolment request to the AEF [118b] through the ELB [306]. The enrolment
25 request not only indicates the application’s intent to use the network services but
also includes an authentication request to ensure that only legitimate and secure applications can access these services. In an exemplary aspect, API exposure function (AEF) [118b] is one of the components of common API framework (CAPIF). In an exemplary aspect, ELB can be deployed in public domain to receive
30 requests from public network as well as in private network for internal
communication. Therefore, the terms ELB and Public ELB are used interchangeably in the present disclosure.
23

[0083] At step 406, the method [400] comprises generating, by a generating unit
[310] at the ELB [306], a security token for the enrolment request message. When
an API invoker [304] sends an enrolment request message, this message first arrives
5 at the generating unit [310] at the ELB [306]. The enrolment request message
typically includes details about the API invoker [304] and an authentication request
to access the network exposure function. Upon receiving this enrolment request, the
ELB [306] generates a unique security token. The security token such as but not
limited to open authorization (OAuth) token, acts as a digital fingerprint, uniquely
10 identifying the request and the API invoker [304].
[0084] At step 408, the method [400] comprises transmitting, by the transceiver unit [308] at the ELB [306], the security token to the API invoker [304]. Upon generating the token, the generating unit [310] at the ELB [306] encapsulates the
15 security token within a response message. The response message is formatted
according to predefined communication protocols to ensure compatibility and security. For example, the generating unit [310] at the ELB [306] might use HTTPS (Hypertext Transfer Protocol Secure) to encrypt the message, ensuring that the token cannot be intercepted or tampered with during transmission. For example, a
20 third-party application, acting as the API invoker [304], sends an enrolment request
to the ELB [306]. After processing this request and generating the security token, the generating unit [310] at the ELB [306] constructs a response message that includes the token. This message is encrypted using TLS (Transport Layer Security) to protect the integrity and confidentiality of the token. The encrypted message is
25 then sent back by the transceiver unit [308] to the API invoker [304] over a secure
channel.
[0085] At step 410, the method [400] comprises establishing, by a processing unit
[312] at the ELB [306] a secure connection between the ELB [306] and the API
30 invoker [304]. The secure connection ensures that all data exchanged between the
API invoker [304] and the ELB [306] is protected from unauthorized access and
tampering. The processing unit [312] at the ELB [306] utilizes Transport Layer
24

Security (TLS) protocols, which provide robust encryption and authentication
mechanisms. When the API invoker [304] first sends an enrolment request to the
ELB [306], the processing unit [312] at the ELB [306] initiates the TLS handshake
process. The TLS handshake process begins with the ELB [306] sending a digital
5 certificate to the API invoker [304]. The digital certificate contains the ELB's [306]
public key and is issued by a trusted Certificate Authority (CA), ensuring its authenticity. The API invoker [304] verifies the certificate using the CA’s public key, confirming the ELB's [306] identity.
10 [0086] At step 412, the method [400] comprises receiving, by the transceiver unit [308] at the ELB [306], an incoming request for an AEF [118b] from the API invoker [304]. Once the secure connection is established and the API invoker [304] has received the security token, the API invoker [304] begins to send an API request (such as the incoming request) to access specific network services. The requests are
15 sent to the transceiver unit [308] at the ELB [306], which acts as an intermediary
between the API invoker [304] and the AEF [118b]. When the API invoker [304] sends the API request (such as the incoming request). The API request (such as the incoming request) includes the security token previously issued by the generating unit [310] at the ELB [306], as well as specific details about the API service being
20 requested. For example, if the API invoker [304] is a third-party application that
needs to access a telecom operator's billing service, the request will specify the billing API endpoint and include necessary parameters such as user identification and billing information.
25 [0087] At step 414, the method [400] comprises authenticating, by an authenticating unit [3144] at the ELB [306], the incoming request from the API invoker [304]. Authentication ensure that only authorized API invokers [304] can access the network services and that their requests are legitimate. When the authenticating unit [314] at the ELB [306] receives the request, it first decrypts the
30 communication using the session key established during the TLS handshake,
ensuring that the data has not been altered in transit. Following decryption, the extracts the security token included in the request. This token was previously issued
25

to the API invoker during the enrolment process and serves as a unique identifier
for authentication purposes. For example, an API invoker [304], such as a third-
party application providing weather updates, sends a request to access the network's
weather data API. The request includes a security token issued during the initial
5 authentication phase. The ELB [306] extracts this token from the request and
proceeds to validate it. In an exemplary aspect, the security token such as but not limited to OAuth token, contains the consumer identity details and security token expiry details. The ELB [306] has the logic to extract these details from the security token in order to validate it. 10
[0088] Thereafter, the method [400] terminates at step [416].
[0089] The present disclosure further discloses a non-transitory computer readable storage medium storing instructions for authentication of one or more third-party
15 applications in a communication system, the instructions include executable code
which, when executed by one or more units of a system, causes: an AEF [118b] configured to receive an enrolment request message from an API invoker [304] via an Edge Load Balancer (ELB) [306], wherein enrolment request message further comprises an authentication request to access a network exposure function. Further,
20 the instructions when executed causes the Edge Load Balancer (ELB) [306]
configured to generate a security token for the enrolment request message. Further, the instructions when executed causes the Edge Load Balancer (ELB) [306] configured to transmit the security token to the API invoker [304]. Further, the instructions when executed causes the Edge Load Balancer (ELB) [306] configured
25 to establish a secure connection between the ELB [306] and the API invoker [304].
Further, the instructions when executed causes the Edge Load Balancer (ELB) [306] configured to receive an incoming request for an API Exposure function from the API invoker [304]. Further, the instructions when executed causes the Edge Load Balancer (ELB) [306] configured to authenticate the incoming request from
30 the API invoker [304].
26

[0090] FIG. 5 illustrates an architecture of a system for authentication of one or more third-party applications in a communication system in accordance with exemplary implementations of the present disclosure.
5 [0091] The architecture [500] shows a Consumer [502], which represents the end-
user or application that initiates API requests to access network services. The ELB
[306] is responsible for generating security tokens for enrolment requests from the
API invoker [304], establishing secure TLS connections, receiving, and
authenticating incoming API requests, and load balancing these requests across
10 multiple instances of the API Exposure function.
[0092] The AEF [118b] serves as the endpoint for API exposure, receiving and processing authenticated API requests forwarded by the ELB [306] and handling the service logic to provide the requested network functionalities. The Identity and
15 Access Management (IAM) [508] system ensures that only authenticated and
authorized API invokers [304] can interact with the AEF [118b], working closely with the ELB [306] to validate security tokens and manage user identities. Other components include the Network Exposure Function (NEF) [118], which exposes network capabilities to third-party applications, business telephony application
20 server (BTAS) [512], and one cache data ingestion service (OCDIS) [514], which
provide operational data and control capabilities through APIs.
[0093] The process begins with the consumer [502] or API invoker [304] sending
an enrolment request to the ELB [306], which includes an authentication request to
25 access network services. The ELB [306] generates a unique security token for this
enrolment request and transmits it back to the API invoker [304], which is essential
for subsequent authentication steps. The API invoker [304] then uses the security
token to initiate a TLS (Transport Layer Security) connection with the ELB [306],
ensuring that all communication is encrypted and secure.
30
[0094] Once the secure connection is established, the API invoker [304] sends a
service API request to the ELB [306], including the previously issued security
27

token. The ELB [306] matches the token with the security token it issued earlier,
and if the token is valid, the request is authenticated. The ELB [306] then forwards
the authenticated API request to the AEF [118b] instance based on load balancing
rules, such as round-robin distribution, ensuring no single instance is overloaded
5 and that resources are utilized efficiently.
[0095] The AEF [118b] processes the requests and interacts with various network
services like network exposure function (NEF) [118], business telephony
application server (BTAS) [512], and one cache data ingestion service (OCDIS)
10 [514] to provide the requested functionalities to the API invoker [304]. This robust
and scalable architecture securely handles API requests from third-party
applications, ensuring only authenticated requests are processed and efficiently
balancing the load across multiple service instances to maintain high performance
and reliability in the communication system.
15
[0096] As is evident from the above, the present disclosure provides a technically
advanced solution for authentication of one or more third-party applications in a
communication system. The present solution a technically advanced solution of
AEF architecture for secure way of providing communication establishment
20 between third-party API and service provider network in 5G communication
system. The proposed disclosure provides an Edge Load Balancer (ELB) before AEF, which onboards the API invoker [304] in a secure way. In the distributed architecture ELB makes secure TLS connection with API invoker [304] and sends authentication token in every request which are authorized by ELB before sending
25 any traffic to network. With the ELB’s TLS security aspect, the method and system
reject non-secure connections from API invoker [304] and may remove the chances of malware and/or DoS attack. In another preferred embodiment, configuration of multiple CAPIFs can be performed with ELB [306], which provide easy scalability to CAPIFs in 5G communication system. In another preferred embodiment,
30 configuration of multiple CAPIFs can be performed at the ELB [306] startup by
configuring one or more CAPIF details in ELB [306] configuration files. In another preferred embodiment, the configuration of multiple CAPIFs can be performed at
28

runtime by registering API in CAPIF with ELB [306] using a user interface (UI) or CAPIF command line.
[0097] In an exemplary aspect, the configuration of multiple CAPIF instances can be accomplished in two ways i.e., at ELB startup and at runtime. At ELB startup, the CAPIF details, such as IP addresses, authentication keys, and load balancing rules, can be pre-configured in the ELB’s configuration files. For example, during the initial setup, an operator might specify three CAPIF instances in the ELB’s configuration file, each with its own set of parameters. When the ELB starts, it reads this configuration and establishes connections with these CAPIF instances, ready to route and balance incoming API requests according to predefined rules. Alternatively, at runtime, configuration can be more dynamic. CAPIF provides an API for registration with the ELB, which can be invoked from a user interface (UI) or command line. This allows administrators to add, remove, or update CAPIF instances without restarting the ELB. For example, if a new CAPIF instance needs to be added to handle increased load, an administrator can use the UI to call the CAPIF registration API, providing the necessary details. The ELB then updates its configuration on-the-fly, integrating the new CAPIF instance into its load-balancing and routing mechanisms.
[0098] Further, in accordance with the present disclosure, it is to be acknowledged that the functionality described for the various the components/units can be implemented interchangeably. While specific embodiments may disclose a particular functionality of these units for clarity, it is recognized that various configurations and combinations thereof are within the scope of the disclosure. The functionality of specific units as disclosed in the disclosure should not be construed as limiting the scope of the present disclosure. Consequently, alternative arrangements and substitutions of units, provided they achieve the intended functionality described herein, are considered to be encompassed within the scope of the present disclosure.

[0099] The present disclosure relates to a non-transitory computer readable storage medium storing instruction for authentication of one or more third-party applications in a communication system, the instructions include executable code which, when executed by one or more units of a system, causes: an API Exposure function (AEF) configured to receive an enrolment request message from an API invoker [304] via an Edge Load Balancer (ELB), wherein enrolment request message further comprises an authentication request to access a network exposure function. Further, the instructions when executed causes the Edge Load Balancer (ELB) configured to generate a security token for the enrolment request message. Further, the instructions when executed causes the Edge Load Balancer (ELB) configured to transmit the security token to the API invoker [304]. Further, the instructions when executed causes the Edge Load Balancer (ELB) configured to establish a secure connection between the ELB and the API invoker [304]. Further, the instructions when executed causes the Edge Load Balancer (ELB) configured to receive an incoming request for an API Exposure function from the API invoker [304]. Further, the instructions when executed causes the Edge Load Balancer (ELB) configured to authenticate the incoming request from the API invoker [304].
[0100] While considerable emphasis has been placed herein on the disclosed implementations, it will be appreciated that many implementations can be made and that many changes can be made to the implementations without departing from the principles of the present disclosure. These and other changes in the implementations of the present disclosure will be apparent to those skilled in the art, whereby it is to be understood that the foregoing descriptive matter to be implemented is illustrative and non-limiting.

We Claim:
1. A method for authentication of one or more third-party applications in a
communication system, the method comprising:
- receiving, by a transceiver unit [308] at an Edge Load Balancer (ELB) [306], an enrolment request message from an API invoker [304], wherein the enrolment request message further comprises an authentication request to access a network exposure function;
- generating, by a generating unit [310] at the ELB [306], a security token for the enrolment request message;
- transmitting, by the transceiver unit [308] at the ELB [306], the security token to the API invoker [304];
- establishing, by a processing unit [312] at the ELB [306] a secure connection between the ELB [306] and the API invoker [304];
- receiving, by the transceiver unit [308] at the ELB [306], an incoming request for an API Exposure function (AEF) [118b] from the API invoker [304]; and
- authenticating, by an authenticating unit [314] at the ELB [306], the incoming request from the API invoker [304].

2. The method as claimed in claim 1, wherein the method further comprises configuring, by the processing unit [312], one or more API Exposure function (AEF) [118b] for authentication of one or more third-party applications.
3. The method as claimed in claim 1, wherein the method further comprises load balancing, by the processing unit [312], the incoming requests in a round robin fashion.
4. The method as claimed in claim 1, the method further comprises:

- initiating, by the API invoker [304], a TLS connection with the ELB [306]; and
- transmitting, by API invoker [304], a service API request to the ELB [306], wherein the service API request comprises of a token.
5. The method as claimed in claim 4, the method further comprises:
- matching, by the processing unit [312], the token of the service API request with the security token; and
- validating, by the processing unit [312], the API invoker [304] based on the matching.
6. A system for authentication of one or more third-party applications in a
communication system, the system comprising:
- an ELB [306] comprising:
o a transceiver unit [308] configured to receive an enrolment request
message, wherein the enrolment request message further comprises
an authentication request to access one or more network functions; o a generating unit [310] configured to generate a security token for
the enrolment request message; o the transceiver unit [308] configured to transmit the security token
to an API invoker [304]; o a processing unit [312] configured to establish a secure connection
between the ELB [306] and the API invoker [304]; o the transceiver unit [308] further configured to receive an incoming
request for an API Exposure function from the API invoker [304];
and o an authenticating unit [314] configured to authenticate the incoming
request from the API invoker [304].

7. The system as claimed in claim 6, wherein the processing unit [310] is further configured to configure one or more API Exposure functions (AEFs) [118b] for authentication of one or more third-party applications.
8. The system as claimed in claim 6, wherein the processing unit [310] is further configured to load balance the incoming requests in a round robin fashion.
9. The system as claimed in claim 6, wherein the API invoker [304] is further configured to:

- initiate a TLS connection with the ELB [306]; and
- transmit a service API request to the ELB [306], wherein the service API request comprises a token.
10. The system as claimed in claim 9, wherein the processing unit [310] is
further configured to:
- match the token of the service API request with the security token; and
- validate the API invoker [304] based on the matching.