Re: [Txauth] JSON Schema?

Justin Richer <jricher@mit.edu> Mon, 06 July 2020 19:54 UTC

Return-Path: <jricher@mit.edu>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D958C3A09F0 for <txauth@ietfa.amsl.com>; Mon, 6 Jul 2020 12:54:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JJo0JsMlxQ5D for <txauth@ietfa.amsl.com>; Mon, 6 Jul 2020 12:54:10 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E550B3A09EF for <txauth@ietf.org>; Mon, 6 Jul 2020 12:54:09 -0700 (PDT)
Received: from [192.168.1.7] (static-71-174-62-56.bstnma.fios.verizon.net [71.174.62.56]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 066Js7qU018503 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 6 Jul 2020 15:54:07 -0400
From: Justin Richer <jricher@mit.edu>
Message-Id: <E9EC90C9-7A9A-4909-8627-A161B33E941F@mit.edu>
Content-Type: multipart/alternative; boundary="Apple-Mail=_59150599-5897-4950-97AE-CD7C8022CE5A"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
Date: Mon, 6 Jul 2020 15:54:07 -0400
In-Reply-To: <CAD9ie-vnA98pobbboS00SAHneEG52_8eMxh_sE3r3jg6gyooGg@mail.gmail.com>
Cc: txauth@ietf.org
To: Dick Hardt <dick.hardt@gmail.com>
References: <CAD9ie-vnA98pobbboS00SAHneEG52_8eMxh_sE3r3jg6gyooGg@mail.gmail.com>
X-Mailer: Apple Mail (2.3608.80.23.2.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/xw--umAOvgl5o8UdUVo7mC_7v5Q>
Subject: Re: [Txauth] JSON Schema?
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Jul 2020 19:54:12 -0000

I think it’s potentially ok for defining the specification and its boundaries, but it is not ok if it ends up requiring client and AS developers to use JSON Schema directly to implement anything. In other words, you should be a able to still write a bunch of hand-crafted validation code to make it work, or to use a parser that drops things into structured objects for you (like my Java implementation of XYZ does). Much like my argument against JSONLD, I think anything beyond a JSON parser 

Another aspect that I don’t like about JSON schema is that it makes it difficult to describe things in terms of polymorphic data types. Polymorphism in the protocol is an important part of the XYZ proposal’s design, and as a feature it directly addresses a number of the items you found when doing your XAuth implementation, like parsing OAuth scopes and dealing with the authorization/authorizations mutually-exclusive oddness that you mentioned. I strongly believe that GNAP should make use of a polymorphic protocol structure for these and other reasons. Polymorphism is a built-in feature of the JSON data model, and it’s also fully possible to support under CBOR and other data serialization languages. Even JWT most famously uses polymorphism for the “aud” field, which can be a string or an array of strings depending on context, all with clear semantics. Defining that in JSON schema is not impossible, but it’s not easy.

So overall, I think JSON schema is probably not a good fit here.

 — Justin

> On Jul 6, 2020, at 3:00 PM, Dick Hardt <dick.hardt@gmail.com> wrote:
> 
> Hey
> 
> Does anyone have experience and/or opinions on JSON Schema [1]?
> 
> When implementing XAuth [2], I wrote a bunch of hand crafted JSON validation code. JSON schema looks like it could be a great way to validate input, and to create automated tests for output. It may also be a great way to document the Grant Response JSON.
> 
> / Dick
> 
> [1] https://json-schema.org/ <https://json-schema.org/>
> [2] https://github.com/dickhardt/XAuth-poc <https://github.com/dickhardt/XAuth-poc>
> 
> 
> -- 
> Txauth mailing list
> Txauth@ietf.org
> https://www.ietf.org/mailman/listinfo/txauth