Re: [Txauth] JSON Schema?

Justin Richer <jricher@mit.edu> Mon, 06 July 2020 20:30 UTC

Return-Path: <jricher@mit.edu>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 957C73A0A6A for <txauth@ietfa.amsl.com>; Mon, 6 Jul 2020 13:30:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mzupRRCLVgQB for <txauth@ietfa.amsl.com>; Mon, 6 Jul 2020 13:30:45 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2349F3A0A66 for <txauth@ietf.org>; Mon, 6 Jul 2020 13:30:44 -0700 (PDT)
Received: from [192.168.1.7] (static-71-174-62-56.bstnma.fios.verizon.net [71.174.62.56]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 066KUg6v031049 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 6 Jul 2020 16:30:42 -0400
From: Justin Richer <jricher@mit.edu>
Message-Id: <561C0AB5-BF44-4B8D-82C4-DA0A12DFB668@mit.edu>
Content-Type: multipart/alternative; boundary="Apple-Mail=_E255B426-B0B6-4731-8C6B-DD4D45A40AC3"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
Date: Mon, 6 Jul 2020 16:30:42 -0400
In-Reply-To: <CAD9ie-u==Yjdyef2bQD+Ngv=bgpw1KVG+ND--CMQv1JOTd3Dqg@mail.gmail.com>
Cc: txauth@ietf.org
To: Dick Hardt <dick.hardt@gmail.com>
References: <CAD9ie-vnA98pobbboS00SAHneEG52_8eMxh_sE3r3jg6gyooGg@mail.gmail.com> <E9EC90C9-7A9A-4909-8627-A161B33E941F@mit.edu> <B3104062-AF2B-4FFB-A8CD-3DD5BE178812@mit.edu> <CAD9ie-u==Yjdyef2bQD+Ngv=bgpw1KVG+ND--CMQv1JOTd3Dqg@mail.gmail.com>
X-Mailer: Apple Mail (2.3608.80.23.2.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/z4yD5FX9hxi92Eqw_gABkEHdfz0>
Subject: Re: [Txauth] JSON Schema?
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Jul 2020 20:30:48 -0000

The best thing about schema languages is that there are so many of them to choose from. :)

I do like Wayne’s idea of using JSON schema (or something similar) in a validation test suite, and that’s something that the group should consider. Formal tools like test suites, use case documents, and formal analysis are all in our toolbox as we build out GNAP, and so we can decide which, if any, make sense.

 — Justin

> On Jul 6, 2020, at 4:16 PM, Dick Hardt <dick.hardt@gmail.com> wrote:
> 
> Thanks Wayne and Justin.
> 
> I agree that we would not want to make it an implementation requirement.
> 
> I asked Tim Bray his thoughts (edited the IETF JSON specs, one of XML creators)
> 
> Tim has written a number of blog posts on JSON Schema. TL;DR: he is not a huge fan. 
> 
> He pointed out the IETF JSON Type Definition ID [2]. This looks much simpler and addresses many of the concerns Tim had expressed with JSON Schema. It also has a more recent draft published on the IETF. Unfortunately there do not seem to be many implementations, and the website [3] is missing the promised docs [4]. The latest ID [5] looks to be derived from CDDL (RFC 8610) [6].
> 
> I reached out to the core JSON Schema people, and they are focussed on making JSON Schema changes to support efforts for the next version of Open API [7]
> 
> My take: I may use Open Schema in my PoC implementation not unlike what Wayne did, but it does not look like either JSON Schema or JSON Type Definition is ready for the WG to use at this point.
> 
> /Dick
> 
> [1] https://www.google.com/search?as_q=json+schema&hl=en&ie=UTF-8&btnG=Google%2BSearch&as_qdr=all&as_occt=any&as_dt=i&as_sitesearch=tbray.org <https://www.google.com/search?as_q=json+schema&hl=en&ie=UTF-8&btnG=Google%2BSearch&as_qdr=all&as_occt=any&as_dt=i&as_sitesearch=tbray.org>
>  <https://www.google.com/search?as_q=json+schema&hl=en&ie=UTF-8&btnG=Google%2BSearch&as_qdr=all&as_occt=any&as_dt=i&as_sitesearch=tbray.org> 
> [2] https://datatracker.ietf.org/doc/draft-ucarion-json-type-definition/ <https://datatracker.ietf.org/doc/draft-ucarion-json-type-definition/>
> 
> [3] https://jsontypedef.com/ <https://jsontypedef.com/>
> 
> [4] https://jsontypedef.com/docs/getting-started/overview <https://jsontypedef.com/docs/getting-started/overview>
> 
> [5] https://tools.ietf.org/html/draft-ucarion-json-type-definition-04 <https://tools.ietf.org/html/draft-ucarion-json-type-definition-04>
> 
> [6] https://tools.ietf.org/html/rfc8610 <https://tools.ietf.org/html/rfc8610>
> 
> [7] https://github.com/OAI/OpenAPI-Specification <https://github.com/OAI/OpenAPI-Specification>
> 
> 
> On Mon, Jul 6, 2020 at 12:55 PM Justin Richer <jricher@mit.edu <mailto:jricher@mit.edu>> wrote:
> 
>> On Jul 6, 2020, at 3:54 PM, Justin Richer <jricher@mit.edu <mailto:jricher@mit.edu>> wrote:
>> 
>> I think it’s potentially ok for defining the specification and its boundaries, but it is not ok if it ends up requiring client and AS developers to use JSON Schema directly to implement anything. In other words, you should be a able to still write a bunch of hand-crafted validation code to make it work, or to use a parser that drops things into structured objects for you (like my Java implementation of XYZ does). Much like my argument against JSONLD, I think anything beyond a JSON parser 
> 
> … and generator is too much to ask. (Sorry, hit send too early.)
> 
>> 
>> Another aspect that I don’t like about JSON schema is that it makes it difficult to describe things in terms of polymorphic data types. Polymorphism in the protocol is an important part of the XYZ proposal’s design, and as a feature it directly addresses a number of the items you found when doing your XAuth implementation, like parsing OAuth scopes and dealing with the authorization/authorizations mutually-exclusive oddness that you mentioned. I strongly believe that GNAP should make use of a polymorphic protocol structure for these and other reasons. Polymorphism is a built-in feature of the JSON data model, and it’s also fully possible to support under CBOR and other data serialization languages. Even JWT most famously uses polymorphism for the “aud” field, which can be a string or an array of strings depending on context, all with clear semantics. Defining that in JSON schema is not impossible, but it’s not easy.
>> 
>> So overall, I think JSON schema is probably not a good fit here.
>> 
>>  — Justin
>> 
>>> On Jul 6, 2020, at 3:00 PM, Dick Hardt <dick.hardt@gmail.com <mailto:dick.hardt@gmail.com>> wrote:
>>> 
>>> Hey
>>> 
>>> Does anyone have experience and/or opinions on JSON Schema [1]?
>>> 
>>> When implementing XAuth [2], I wrote a bunch of hand crafted JSON validation code. JSON schema looks like it could be a great way to validate input, and to create automated tests for output. It may also be a great way to document the Grant Response JSON.
>>> 
>>> / Dick
>>> 
>>> [1] https://json-schema.org/ <https://json-schema.org/>
>>> [2] https://github.com/dickhardt/XAuth-poc <https://github.com/dickhardt/XAuth-poc>
>>> 
>>> 
>>> -- 
>>> Txauth mailing list
>>> Txauth@ietf.org <mailto:Txauth@ietf.org>
>>> https://www.ietf.org/mailman/listinfo/txauth <https://www.ietf.org/mailman/listinfo/txauth>
>> 
>> -- 
>> Txauth mailing list
>> Txauth@ietf.org <mailto:Txauth@ietf.org>
>> https://www.ietf.org/mailman/listinfo/txauth <https://www.ietf.org/mailman/listinfo/txauth>
>