Number Verification

Introduction

The CAMARA Number Verification API allows to check if the provided mobile phone number is the one actually used in the device. The service verifies that the user is using a device with the same mobile phone number as the one which is declared for this user. It also makes it possible for the application consuming this API to get the number itself by returning the phone number associated with the authenticated user's access token.

As the Number Verification API uses the Orange mobile network, it offers strong authentication with enhanced security with minimum user friction.

API Authentication

Step 1: request the OAuth authorization code from the user device

As we are using mocked API and the production version relied on the network to get the phone number, we need to provide the phone number in the login_hint parameter. Of course, in production, this parameter is not needed.

curl -X GET \
  "https://api.orange.com/openidconnect/playground/v1.0/authorize?response_type=code
 &client_id=YOU_CLIENT_ID&redirect_uri=https://YOUR_REDIRECT_URI
 &scope=openid%20dpv:FraudPreventionAndDetection%20number-verification:verify
 &state=state&login_hint=tel%3A%2B33600000000" \
 -H 'Accept: application/json'

Step 2: Request the OAuth access token

You get the Authorization header credentials when you register your application on the Orange Developer Console (https://developer.orange.com/myapps).

curl -X POST \
  "https://api.orange.com/openidconnect/playground/v1.0/token" \
  -H 'Accept: application/json' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -H 'Authorization: Basic YOUR_BASIC' \
  --data-urlencode 'grant_type=authorization_code' \
  --data-urlencode 'redirect_uri=https://YOUR_REDIRECT_URI' \
  --data-urlencode 'code=OFR-SYPXPfaUPCrq...5uiiFf7wy9N6sO'

API Description

Summary of resources

This API has two resources verify and device-phone-number

Summary of methods and URL

Verify Operation

Verifies if the provided phone number (plain text or hashed format) matches the one that the user is currently using. The API returns true/false depending on if the input matches the authenticated user's device phone number associated with the access token.

Summary of request body parameters

Request

curl -X POST \
  "https://api.orange.com/camara/playground/api/number-verification/v1/verify" \
  -H 'Authorization: Bearer {your access token}' \
  -H "Cache-Control: no-cache"  \
  -H 'accept: application/json' \
  -H 'Content-Type: application/json' \
  -d '{ "phoneNumber": "+33699999999" }'

Response

200
Content-Type: application/json

{
  "devicePhoneNumberVerified": true
}

Fields description

The response features only one attribute: devicePhoneNumberVerified.

This attribute is true when the provided number is the same as the one in the device in use.

Return phone number Operation

Returns the phone number associated with the access token so the API clients can verify the number themselves.

Get phone number

Request

curl -X GET \
  "https://api.orange.com/camara/playground/api/number-verification/v1/device-phone-number" \
  -H 'Authorization: Bearer {your access token}' \
  -H 'Cache-Control: no-cache' \
  -H 'accept: application/json'

Response

200
Content-Type: application/json

{
  "devicePhoneNumber": "+123456789"
}

Most frequent errors

There are some cases where your client application will no longer gain access to API resources, and get an error back.

Please check the following points:

• Here, you attempt to use an expired or revoked access_token and you get an invalid token error. You will have to request a new access_token. As an example:

HTTP/1.1 401 Unauthorized
Content-Type: application/json
{
  "code": "UNAUTHORIZED",
  "message": "Authorization failed: ..."
}

• Here, you removed your subscription to the API so that the capability to generate an access_token is not allowed anymore. As an example:

HTTP/1.1 403 Forbidden
Content-Type: application/json
{
  "code": "FORBIDDEN",
  "message": "Operation not allowed: ..."
}