Re: [Txauth] JSON Schema?

Benjamin Kaduk <kaduk@mit.edu> Tue, 07 July 2020 05:30 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E54863A0859 for <txauth@ietfa.amsl.com>; Mon, 6 Jul 2020 22:30:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rIurM5JShF93 for <txauth@ietfa.amsl.com>; Mon, 6 Jul 2020 22:30:54 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1CE7C3A0853 for <txauth@ietf.org>; Mon, 6 Jul 2020 22:30:53 -0700 (PDT)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 0675Unxl018643 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 7 Jul 2020 01:30:51 -0400
Date: Mon, 6 Jul 2020 22:30:48 -0700
From: Benjamin Kaduk <kaduk@mit.edu>
To: Dick Hardt <dick.hardt@gmail.com>
Cc: Justin Richer <jricher@mit.edu>, txauth@ietf.org
Message-ID: <20200707053048.GV16335@kduck.mit.edu>
References: <CAD9ie-vnA98pobbboS00SAHneEG52_8eMxh_sE3r3jg6gyooGg@mail.gmail.com> <E9EC90C9-7A9A-4909-8627-A161B33E941F@mit.edu> <B3104062-AF2B-4FFB-A8CD-3DD5BE178812@mit.edu> <CAD9ie-u==Yjdyef2bQD+Ngv=bgpw1KVG+ND--CMQv1JOTd3Dqg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CAD9ie-u==Yjdyef2bQD+Ngv=bgpw1KVG+ND--CMQv1JOTd3Dqg@mail.gmail.com>
User-Agent: Mutt/1.12.1 (2019-06-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/UDr02XxxA2MZGWre3Sx5s-XsG-E>
Subject: Re: [Txauth] JSON Schema?
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Jul 2020 05:30:56 -0000

On Mon, Jul 06, 2020 at 01:16:27PM -0700, Dick Hardt wrote:
> Thanks Wayne and Justin.
> 
> I agree that we would not want to make it an implementation requirement.
> 
> I asked Tim Bray his thoughts (edited the IETF JSON specs, one of XML
> creators)
> 
> Tim has written a number of blog posts on JSON Schema. TL;DR: he is not a
> huge fan.
> 
> He pointed out the IETF JSON Type Definition ID [2]. This looks much
> simpler and addresses many of the concerns Tim had expressed with JSON
> Schema. It also has a more recent draft published on the IETF.

FWIW, draft-ucarion-json-type-definition is in the RFC Editor's queue as a
document published via the ISE stream, as can be seen at
https://www.rfc-editor.org/current_queue.php and
https://datatracker.ietf.org/doc/draft-ucarion-json-type-definition/

It's only been at the RFC Editor for a week or so, and we're running 10
weeks minimum to publication, it will not be an RFC for anouther couple
months at least.

-Ben

> Unfortunately there do not seem to be many implementations, and the website
> [3] is missing the promised docs [4]. The latest ID [5] looks to be derived
> from CDDL (RFC 8610) [6].
> 
> I reached out to the core JSON Schema people, and they are focussed on
> making JSON Schema changes to support efforts for the next version of Open
> API [7]
> 
> My take: I may use Open Schema in my PoC implementation not unlike what
> Wayne did, but it does not look like either JSON Schema or JSON Type
> Definition is ready for the WG to use at this point.
> 
> /Dick
> 
> [1]
> https://www.google.com/search?as_q=json+schema&hl=en&ie=UTF-8&btnG=Google%2BSearch&as_qdr=all&as_occt=any&as_dt=i&as_sitesearch=tbray.org
> <https://www.google.com/search?as_q=json+schema&hl=en&ie=UTF-8&btnG=Google%2BSearch&as_qdr=all&as_occt=any&as_dt=i&as_sitesearch=tbray.org>
> 
> [2] https://datatracker.ietf.org/doc/draft-ucarion-json-type-definition/
> 
> [3] https://jsontypedef.com/
> 
> [4] https://jsontypedef.com/docs/getting-started/overview
> 
> [5] https://tools.ietf.org/html/draft-ucarion-json-type-definition-04
> 
> [6] https://tools.ietf.org/html/rfc8610
> 
> [7] https://github.com/OAI/OpenAPI-Specification
> 
> 
> On Mon, Jul 6, 2020 at 12:55 PM Justin Richer <jricher@mit.edu> wrote:
> 
> >
> > On Jul 6, 2020, at 3:54 PM, Justin Richer <jricher@mit.edu> wrote:
> >
> > I think it’s potentially ok for defining the specification and its
> > boundaries, but it is not ok if it ends up requiring client and AS
> > developers to use JSON Schema directly to implement anything. In other
> > words, you should be a able to still write a bunch of hand-crafted
> > validation code to make it work, or to use a parser that drops things into
> > structured objects for you (like my Java implementation of XYZ does). Much
> > like my argument against JSONLD, I think anything beyond a JSON parser
> >
> >
> > … and generator is too much to ask. (Sorry, hit send too early.)
> >
> >
> > Another aspect that I don’t like about JSON schema is that it makes it
> > difficult to describe things in terms of polymorphic data types.
> > Polymorphism in the protocol is an important part of the XYZ proposal’s
> > design, and as a feature it directly addresses a number of the items you
> > found when doing your XAuth implementation, like parsing OAuth scopes and
> > dealing with the authorization/authorizations mutually-exclusive oddness
> > that you mentioned. I strongly believe that GNAP should make use of a
> > polymorphic protocol structure for these and other reasons. Polymorphism is
> > a built-in feature of the JSON data model, and it’s also fully possible to
> > support under CBOR and other data serialization languages. Even JWT most
> > famously uses polymorphism for the “aud” field, which can be a string or an
> > array of strings depending on context, all with clear semantics. Defining
> > that in JSON schema is not impossible, but it’s not easy.
> >
> > So overall, I think JSON schema is probably not a good fit here.
> >
> >  — Justin
> >
> > On Jul 6, 2020, at 3:00 PM, Dick Hardt <dick.hardt@gmail.com> wrote:
> >
> > Hey
> >
> > Does anyone have experience and/or opinions on JSON Schema [1]?
> >
> > When implementing XAuth [2], I wrote a bunch of hand crafted JSON
> > validation code. JSON schema looks like it could be a great way to validate
> > input, and to create automated tests for output. It may also be a great way
> > to document the Grant Response JSON.
> >
> > / Dick
> >
> > [1] https://json-schema.org/
> > [2] https://github.com/dickhardt/XAuth-poc
> >
> >
> > --
> > Txauth mailing list
> > Txauth@ietf.org
> > https://www.ietf.org/mailman/listinfo/txauth
> >
> >
> > --
> > Txauth mailing list
> > Txauth@ietf.org
> > https://www.ietf.org/mailman/listinfo/txauth
> >
> >
> >

> -- 
> Txauth mailing list
> Txauth@ietf.org
> https://www.ietf.org/mailman/listinfo/txauth