"contentSchema" for embedded string data #669
Comments
|
So with this can I describe a JWT with its base64 encoded sections with additional constraints? I find to make JWT's useful and secure I need to add additional constrainsts such as limiting the |
|
@gcallaghan after playing with that jwt.io site that you pointed me to (and thanks for your off-github help- I have a better grasp of JWT now), here is how I think it would be used in Hyper-Schema. Using the example in RFC 7419 §3.1, assuming that we want to pin the header to require JWT and the HS256 algorithm shown in the example, and nothing more, but just want to describe the structure of the payload and leave it open-ended (because "all claims that are not understood by implementations MUST be ignored."), I think that would look like: {
"$schema": "https://json-schema.org/draft-08/hyper-schema#",
"links": [
{
"rel": "self",
"href": "whatever",
"headerSchema": {
"type": "object",
"required": ["authorization"],
"properties": {
"authorization": {
"type": "object",
"required": ["Bearer"],
"maxProperties": 1,
"properties": {
"Bearer": {
"type": "string",
"contentMediaType": "application/jwt",
"contentSchema": {
"type": "object",
"required": ["header", "payload"],
"properties": {
"header": {
"const": {
"typ": "JWT",
"alg": "HS256"
}
},
"payload": {
"$ref": "http://example.com/schemas/rfc7519/registered-claims",
"required": [
"iss",
"exp",
"http://example.com/is_root"
],
"properties": {
"iss": {"type": "string"},
"exp": {"type": "integer"},
"http://example.com/is_root": {"type": "boolean"}
}
}
}
}
}
}
}
}
}
}
]
}Some things to note:
Does this seem reasonable? And useful? |
|
That looks good to me! I'm curious how would the array look? I used the object description as I wanted to be as disambiguous as possible. However, in practice I can see something like |
|
It would seem to me the best way to map application/jwt onto JSON—perhaps with some participation from that WG—is to define a related (and isomorphic) Similar approaches could be taken for other media types. I forget where I saw it, but someone had a whole JSON vocabulary for representing XML content as JSON. PHP has a builtin library for converting XML to a (probably) compatible format: http://php.net/simplexml |
|
@awwright one use case here is to describe APIs (or JWTs in general) as people use them, so that means working with Any time someone stuffs JSON in a string, such as submitting JSON as the value in an {
"$schema": "https://json-schema.org/draft-08/hyper-schema#",
"links": [
{
"rel": "self",
"href": "whatever",
"submissionMediaType": "application/x-www-form-urlencoded",
"submissionSchema": {
"type": "object",
"properties": {
"someFieldUsingJson": {
"type": "string",
"contentMediaType": "application/json",
"contentSchema": {...}
}
}
}
}
]
}So finding alternative ways to express JWTs is not really part of the goal here. |
|
Yeah I was hoping to shed some light on the problem here. I think one of the issues it illustrates, upon further reflection, is it limits authors to one mapping of a media type to a JSON document (one per media type). Either we can force authors to work in this for simplicity, or we can allow some sort of keyword that defines which mapping from an arbitrary media type to a JSON document to use. |
|
After discussing this with KayEss on the JSON Schema slack (I don't know their github username), I think that the array approach is the way to go. They pointed out some potential confusion with "payload" vs "claims", which I can dig out of the slack history if you'd like. It had to do with which term applied to the encoded vs decoded JSON, I think. Anyway, here is the array version (note that I had to re-do the object example a bit because I left out the {
"$schema": "https://json-schema.org/draft-08/hyper-schema#",
"links": [
{
"rel": "self",
"href": "whatever",
"headerSchema": {
"type": "object",
"required": ["authorization"],
"properties": {
"authorization": {
"type": "object",
"required": ["Bearer"],
"maxProperties": 1,
"properties": {
"Bearer": {
"type": "string",
"contentMediaType": "application/jwt",
"contentSchema": {
"type": "array",
"minItems": 2,
"items": [
{
"const": {
"typ": "JWT",
"alg": "HS256"
}
},
{
"$ref": "http://example.com/schemas/rfc7519/registered-claims",
"required": [
"iss",
"exp",
"http://example.com/is_root"
],
"properties": {
"iss": {"type": "string"},
"exp": {"type": "integer"},
"http://example.com/is_root": {"type": "boolean"}
}
}
]
}
}
}
}
}
}
}
]
}The change is minimal. |
|
@awwright we already basically cover this in JSON Hyper-Schema where
If you would like to debate different ways to map media types into the JSON data model, please open a separate issue for that. I do not think it is necessary, as we have not had any negative feedback on this topic with Hyper-Schema despite it getting a good bit of interest, a nearly-complete implementation, and several blog posts. In any event, it is orthogonal to |
|
@awwright admittedly it may become necessary as more people work with it, which is why I think having a separate issue would be good. |
|
I'll take a closer look at the issues you reference. |
|
@handrews The array implementation makes sense to me. I understand the naming issue, where the encoding can change how the vocabulary is understood. Basically, encoded, the middle part is known as the payload, and the payload contains claims. So when the payload is decoded, it is a JSON object with the claims inside. The array method is more structurally accurate. |
|
@gcallaghan looks like we have a viable example, then! I will probably proceed with a PR, using the same vague language around "mapping the media type into the JSON data model" (the data model being defined in Core) that we use in Hyper-Schema. If/when @awwright comes up with a more clear set of instructions or conventions for performing mappings, we will update all of the specs then. But I think there is no need to block |
|
Merged #673 |
ghost
removed
the
JSON Schemas can be applied to any data that maps reasonably well into the JSON data model. We take advantage of this in JSON Hyper-Schema to apply JSON Schema to media types such as
multipart/alternativeandapplication/x-www-form-urlencoded.contentMediaTypeandcontentEncodinglet us embed other media types into JSON strings. An example where this would be likely is with JSON Web Tokens, which have a media type ofapplication/jwt.The contents of a JWT are, as one might expect, JSON, but encoded in such a way that a
+jsonmedia type would be inaccurate.The
contentSchemakeyword would take a schema, which is applied to the contents of the string as interpreted according tocontentMediaTypeandcontentEncoding. This would be a new type of applicator, applying a schema to string contents.There is an obvious implementation challenge, which is that implementations are not required to implement
contentMediaTypeandcontentEncodingas assertions, and may simply collect them as annotations for another application to use. A similar restriction would exist forcontentSchema.We may wish to suggest that a small number of media types with obvious roles in a JSON ecosystem, such as
application/jwt, SHOULD be supported, but support for arbitrary media types and encodings obviously remains impossible.This feature would be very useful in Hyper-Schema for JWTs and also for the contents of
CookieandSet-Cookie.The text was updated successfully, but these errors were encountered: