idnits 2.17.1 draft-ucarion-json-type-definition-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (March 22, 2020) is 1468 days in the past. Is this intentional? Checking references for intended status: Experimental ---------------------------------------------------------------------------- -- Looks like a reference, but probably isn't: '1' on line 1336 -- Looks like a reference, but probably isn't: '2' on line 1336 -- Looks like a reference, but probably isn't: '3' on line 1336 Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 4 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Independent Submission U. Carion 3 Internet-Draft Segment 4 Intended status: Experimental March 22, 2020 5 Expires: September 23, 2020 7 JSON Type Definition 8 draft-ucarion-json-type-definition-01 10 Abstract 12 This document proposes a format, called JSON Type Definition (JTD), 13 for describing the shape of JavaScript Object Notation (JSON) 14 messages. Its main goals are to enable code generation from schemas 15 as well as portable validation with standardized error indicators. 16 To this end, JTD is intentionally limited to be no more expressive 17 than the type systems of mainstream programming languages. This 18 intentional limitation, as well as the decision to make JTD schemas 19 be JSON documents, makes tooling atop of JTD easier to build. 21 This document does not have IETF consensus and is presented here to 22 facilitate experimentation with the concept of JTD. 24 Status of This Memo 26 This Internet-Draft is submitted in full conformance with the 27 provisions of BCP 78 and BCP 79. 29 Internet-Drafts are working documents of the Internet Engineering 30 Task Force (IETF). Note that other groups may also distribute 31 working documents as Internet-Drafts. The list of current Internet- 32 Drafts is at https://datatracker.ietf.org/drafts/current/. 34 Internet-Drafts are draft documents valid for a maximum of six months 35 and may be updated, replaced, or obsoleted by other documents at any 36 time. It is inappropriate to use Internet-Drafts as reference 37 material or to cite them other than as "work in progress." 39 This Internet-Draft will expire on September 23, 2020. 41 Copyright Notice 43 Copyright (c) 2020 IETF Trust and the persons identified as the 44 document authors. All rights reserved. 46 This document is subject to BCP 78 and the IETF Trust's Legal 47 Provisions Relating to IETF Documents 48 (https://trustee.ietf.org/license-info) in effect on the date of 49 publication of this document. Please review these documents 50 carefully, as they describe your rights and restrictions with respect 51 to this document. Code Components extracted from this document must 52 include Simplified BSD License text as described in Section 4.e of 53 the Trust Legal Provisions and are provided without warranty as 54 described in the Simplified BSD License. 56 Table of Contents 58 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 59 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 5 60 1.2. Scope of Experiment . . . . . . . . . . . . . . . . . . . 5 61 2. Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 62 2.1. Root vs. non-root schemas . . . . . . . . . . . . . . . . 9 63 2.2. Forms . . . . . . . . . . . . . . . . . . . . . . . . . . 9 64 2.2.1. Empty . . . . . . . . . . . . . . . . . . . . . . . . 9 65 2.2.2. Ref . . . . . . . . . . . . . . . . . . . . . . . . . 10 66 2.2.3. Type . . . . . . . . . . . . . . . . . . . . . . . . 11 67 2.2.4. Enum . . . . . . . . . . . . . . . . . . . . . . . . 11 68 2.2.5. Elements . . . . . . . . . . . . . . . . . . . . . . 12 69 2.2.6. Properties . . . . . . . . . . . . . . . . . . . . . 13 70 2.2.7. Values . . . . . . . . . . . . . . . . . . . . . . . 14 71 2.2.8. Discriminator . . . . . . . . . . . . . . . . . . . . 15 72 2.3. Extending JTD's Syntax . . . . . . . . . . . . . . . . . 16 73 3. Semantics . . . . . . . . . . . . . . . . . . . . . . . . . . 17 74 3.1. Allowing Additional Properties . . . . . . . . . . . . . 17 75 3.2. Errors . . . . . . . . . . . . . . . . . . . . . . . . . 19 76 3.3. Forms . . . . . . . . . . . . . . . . . . . . . . . . . . 19 77 3.3.1. Empty . . . . . . . . . . . . . . . . . . . . . . . . 19 78 3.3.2. Ref . . . . . . . . . . . . . . . . . . . . . . . . . 19 79 3.3.3. Type . . . . . . . . . . . . . . . . . . . . . . . . 21 80 3.3.4. Enum . . . . . . . . . . . . . . . . . . . . . . . . 26 81 3.3.5. Elements . . . . . . . . . . . . . . . . . . . . . . 27 82 3.3.6. Properties . . . . . . . . . . . . . . . . . . . . . 29 83 3.3.7. Values . . . . . . . . . . . . . . . . . . . . . . . 33 84 3.3.8. Discriminator . . . . . . . . . . . . . . . . . . . . 35 85 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 41 86 5. Security Considerations . . . . . . . . . . . . . . . . . . . 42 87 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 42 88 6.1. Normative References . . . . . . . . . . . . . . . . . . 42 89 6.2. Informative References . . . . . . . . . . . . . . . . . 43 90 Appendix A. Other Considerations . . . . . . . . . . . . . . . . 43 91 A.1. Support for 64-bit Numbers . . . . . . . . . . . . . . . 43 92 A.2. Support for Non-Root Definitions . . . . . . . . . . . . 44 93 Appendix B. Comparison with CDDL . . . . . . . . . . . . . . . . 45 94 Appendix C. Examples . . . . . . . . . . . . . . . . . . . . . . 48 95 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 49 96 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 50 98 1. Introduction 100 This document describes a schema language for JSON [RFC8259] called 101 JSON Type Definition (JTD). 103 There exist many options for describing JSON data. JTD's niche is to 104 focus on enabling code generation from schemas; to this end, JTD's 105 expressiveness is intentionally limited to be no more powerful than 106 what can be expressed in the type systems of mainstream programming 107 languages. 109 The goals of JTD are to: 111 o Provide an unambiguous description of the overall structure of a 112 JSON document. 114 o Be able to describe common JSON datatypes and structures. That 115 is, the datatypes and structures necessary to support most JSON 116 documents, and which are widely understood in an interoperable way 117 by JSON implementations. 119 o Provide a single format that is readable and editable by both 120 humans and machines, and which can be embedded within other JSON 121 documents. This makes JTD a convenient format for tooling to 122 accept as input or produce as output. 124 o Enable code generation from JTD schemas. JTD schemas are meant to 125 be easy to convert into data structures idiomatic to mainstream 126 programming languages. 128 o Provide a standardized format for error indicators when data does 129 not conform with a schema. 131 JTD is intentionally designed as a rather minimal schema language. 132 Thus, although JTD can describe JSON, it is not able to describe its 133 own structure: this document uses Concise Data Definition Language 134 (CDDL) [RFC8610] to describe JTD's syntax. By keeping the 135 expressiveness of the schema language minimal, JTD makes code 136 generation and standardized error indicators easier to implement. 138 Examples in this document use constructs from the C++ programming 139 language. These examples are provided to aid the reader in 140 understanding the principles of JTD, but are not limiting in any way. 142 JTD's feature set is designed to represent common patterns in JSON- 143 using applications, while still having a clear correspondence to 144 programming languages in widespread use. Thus, JTD supports: 146 o Signed and unsigned 8, 16, and 32-bit integers. A tool which 147 converts JTD schemas into code can use "int8_t", "uint8_t", 148 "int16_t", etc., or their equivalents in the target language, to 149 represent these JTD types. 151 o A distinction between "float32" and "float64". Code generators 152 can use "float" and "double", or their equivalents, for these JTD 153 types. 155 o A "properties" form of JSON objects, corresponding to some sort of 156 struct or record. The "properties" form of JSON objects is akin 157 to a C++ "struct". 159 o A "values" form of JSON objects, corresponding to some sort of 160 dictionary or associative array. The "values" form of JSON 161 objects is akin to a C++ "std::map". 163 o A "discriminator" form of JSON objects, corresponding to a 164 discriminated (or "tagged") union. The "discriminator" form of 165 JSON objects is akin to a C++ "std::variant". 167 The principle of common patterns in JSON is why JTD does not support 168 64-bit integers, as these are usually transmitted over JSON in a non- 169 interoperable (i.e., ignoring the recommendations in Section 2.2 of 170 [RFC7493]) or mutually inconsistent ways. Appendix A.1 further 171 elaborates on why JTD does not support 64-bit integers. 173 The principle of clear correspondence to common programming languages 174 is why JTD does not support, for example, a data type for numbers up 175 to 2**53-1. 177 It is expected that for many use-cases, a schema language of JTD's 178 expressiveness is sufficient. Where a more expressive language is 179 required, alternatives exist in CDDL and others. 181 This document does not have IETF consensus and is presented here to 182 facilitate experimentation with the concept of JTD. The purpose of 183 the experiment is to gain experience with JTD and to possibly revise 184 this work accordingly. If JTD is determined to be a valuable and 185 popular approach it may be taken to the IETF for further discussion 186 and revision. 188 This document has the following structure: 190 Section 2 defines the syntax of JTD. Section 3 describes the 191 semantics of JTD; this includes determining whether some data 192 satisfies a schema and what error indicators should be produced when 193 the data is unsatisfactory. Appendix A discusses why certain 194 features are omitted from JTD. Appendix B presents various JTD 195 schemas and their CDDL equivalents. 197 1.1. Terminology 199 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 200 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 201 "OPTIONAL" in this document are to be interpreted as described in 202 BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all 203 capitals, as shown here. These words may also appear in this 204 document in lower case as plain English words, absent their normative 205 meanings. 207 The term "JSON Pointer", when it appears in this document, is to be 208 understood as it is defined in [RFC6901]. 210 The terms "object", "member", "array", "number", "name", and "string" 211 in this document are to be interpreted as described in [RFC8259]. 213 The term "instance", when it appears in this document, refers to a 214 JSON value being validated against a JTD schema. 216 1.2. Scope of Experiment 218 JTD is an experiment. Participation in this experiment consists of 219 using JTD to validate or document interchanged JSON messages, or in 220 building tooling atop of JTD. Feedback on the results of this 221 experiment may be e-mailed to the author. Participants in this 222 experiment are anticipated to mostly be nodes that provide or consume 223 JSON-based APIs. 225 Nodes know if they are participating in the experiment if they are 226 validating JSON messages against a JTD schema, or if they are relying 227 on another node to do so. Nodes are also participating in the 228 experiment if they are running code generated from a JTD schema. 230 The risk of this experiment "escaping" takes the form of a JTD- 231 supporting node expecting another node, which lacks such support, to 232 validate messages against some JTD schema. In such a case, the 233 outcome will likely be that the nodes fail to interchange information 234 correctly. 236 This experiment will be deemed successful when JTD has been 237 implemented by multiple independent parties, and these parties 238 successfully use JTD to facilitate information interchange within 239 their internal systems or between systems operated by independent 240 parties. 242 If this experiment is deemed successful, and JTD is determined to be 243 a valuable and popular approach, it may be taken to the IETF for 244 further discussion and revision. One possible outcome of this 245 discussion and revision could be that a working group produces a 246 Standards Track specification of JTD. 248 Some implementations of JTD, as well as code generators and other 249 tooling related to JTD, are available at . 252 2. Syntax 254 This section describes when a JSON document is a correct JTD schema. 255 Because Concise Data Definition Language (CDDL) is well-suited to the 256 task of defining complex JSON formats, such as JTD schemas, this 257 section uses CDDL to describe the format of JTD schemas. 259 JTD schemas may recursively contain other schemas. In this document, 260 a "root schema" is one which is not contained within another schema, 261 i.e. it is "top-level". 263 A JTD schema is a JSON object taking on an appropriate form. JTD 264 schemas may contain "additional data", discussed in Section 2.3. 265 Root JTD schemas may optionally contain definitions (a mapping from 266 names to schemas). 268 A correct root JTD schema MUST match the "root-schema" CDDL rule 269 described in this section. A correct non-root JTD schema MUST match 270 the "schema" CDDL rule described in this section. 272 ; root-schema is identical to schema, but additionally allows for 273 ; definitions. 274 ; 275 ; definitions are prohibited from appearing on non-root schemas. 276 root-schema = { 277 schema, 278 ? definitions: { * tstr => schema }, 279 } 281 ; schema is the main CDDL rule defining a JTD schema. 282 ; 283 ; All JTD schemas are JSON objects taking on one of eight forms 284 ; listed here. 285 schema = empty / 286 ref / 287 type / 288 enum / 289 elements / 290 properties / 291 values / 292 discriminator 294 ; shared is a CDDL rule containing properties that all eight schema 295 ; forms share. 296 shared = { 297 ? nullable: bool, 298 ? metadata: { * tstr => * }, 299 } 301 ; empty describes the "empty" schema form. 302 empty = { shared } 304 ; ref describes the "ref" schema form. 305 ; 306 ; There are additional constraints on this form that cannot be 307 ; expressed in CDDL. Section 2.2.2 describes these additional 308 ; constraints in detail. 309 ref = { shared, ref: tstr } 311 ; type describes the "type" schema form. 312 type = { 313 shared, 314 type: "boolean" 315 / "float32" 316 / "float64" 317 / "int8" 318 / "uint8" 319 / "int16" 320 / "uint16" 321 / "int32" 322 / "uint32" 323 / "string" 324 / "timestamp" 325 } 327 ; enum describes the "enum" schema form. 328 ; 329 ; There are additional constraints on this form that cannot be 330 ; expressed in CDDL. Section 2.2.4 describes these additional 331 ; constraints in detail. 332 enum = { shared, enum: [+ tstr] } 334 ; elements describes the "elements" schema form. 335 elements = { shared, elements: schema } 337 ; properties describes the "properties" schema form. 339 ; 340 ; This CDDL rule is defined so that a schema of the "properties" form 341 ; may omit a member named "properties" or a member named 342 ; "optionalProperties", but not both. 343 ; 344 ; There are additional constraints on this form that cannot be 345 ; expressed in CDDL. Section 2.2.6 describes these additional 346 ; constraints in detail. 347 properties = with-properties / with-optional-properties 349 with-properties = { 350 shared, 351 properties: { * tstr => schema }, 352 ? optionalProperties: { * tstr => schema }, 353 ? additionalProperties: bool, 354 } 356 with-optional-properties = { 357 shared, 358 ? properties: { * tstr => schema }, 359 optionalProperties: { * tstr => schema }, 360 ? additionalProperties: bool, 361 } 363 ; values describes the "values" schema form. 364 values = { shared, values: schema } 366 ; discriminator describes the "discriminator" schema form. 367 ; 368 ; There are additional constraints on this form that cannot be 369 ; expressed in CDDL. Section 2.2.8 describes these additional 370 ; constraints in detail. 371 discriminator = { 372 shared, 373 discriminator: tstr, 375 ; Note well: this rule is defined in terms of the "properties" 376 ; CDDL rule, not the "schema" CDDL rule. 377 mapping: { * tstr => properties } 378 } 380 Figure 1: CDDL definition of a schema 382 The remainder of this section will describe constraints on JTD 383 schemas which cannot be expressed in CDDL, and will provide examples 384 of valid and invalid JTD schemas. 386 2.1. Root vs. non-root schemas 388 The "root-schema" rule in Figure 1 permits for a member named 389 "definitions", but the "schema" rule does not permit for such a 390 member. This means that only root (i.e., "top-level") JTD schemas 391 can have a "definitions" object, and sub-schemas may not. 393 Thus 395 { "definitions": {} } 397 is a correct JTD schema, but 399 { 400 "definitions": { 401 "foo": { 402 "definitions": {} 403 } 404 } 405 } 407 is not, because sub-schemas (such as the object at "/definitions/ 408 foo") must not have a member named "definitions". 410 2.2. Forms 412 JTD schemas (i.e. JSON objects satisfying the "schema" CDDL rule in 413 Figure 1) must take on one of eight forms. These forms are defined 414 so as to be mutually exclusive; a schema cannot satisfy multiple 415 forms at once. 417 2.2.1. Empty 419 The "empty" form is defined by the "empty" CDDL rule in Figure 1. 420 The semantics of the "empty" form are described in Section 3.3.1. 422 Despite the name "empty", schemas of the "empty" form are not 423 necessarily empty JSON objects. Like schemas of any of the eight 424 forms, schemas of the "empty" form may contain members named 425 "nullable" (whose value must be "true" or "false") or "metadata" 426 (whose value must be an object) or both. 428 Thus 430 {} 432 and 433 { "nullable": true } 435 and 437 { "nullable": true, "metadata": { "foo": "bar" }} 439 are correct JTD schemas of the empty form, but 441 { "nullable": "foo" } 443 is not, because the value of the member named "nullable" must be 444 "true" or "false". 446 2.2.2. Ref 448 The "ref" form is defined by the "ref" CDDL rule in Figure 1. The 449 semantics of the "ref" form are described in Section 3.3.2. 451 For a schema of the "ref" form to be correct, the value of the member 452 named "ref" must refer to one of the definitions found at the root 453 level of the schema it appears in. More formally, for a schema _S_ 454 of the "ref" form: 456 o Let _B_ be the root schema containing the schema, or the schema 457 itself if it is a root schema. 459 o Let _R_ be the value of the member of _S_ with the name "ref". 461 If the schema is correct, then _B_ MUST have a member _D_ with the 462 name "definitions", and _D_ MUST contain a member whose name equals 463 _R_. 465 Thus 467 { 468 "definitions": { 469 "coordinates": { 470 "properties": { 471 "lat": { "type": "float32" }, 472 "lng": { "type": "float32" } 473 } 474 } 475 }, 476 "properties": { 477 "user_location": { "ref": "coordinates" }, 478 "server_location": { "ref": "coordinates" } 479 } 480 } 482 is a correct JTD schema, and demonstrates the point of the "ref" 483 form: to avoid re-defining the same thing twice. However, 485 { "ref": "foo" } 487 is not a correct JTD schema, as there is no top-level "definitions", 488 and so the "ref" form cannot be correct. Similarly, 490 { "definitions": { "foo": {}}, "ref": "bar" } 492 is not a correct JTD schema, as there is no member named "bar" in the 493 top-level "definitions". 495 2.2.3. Type 497 The "type" form is defined by the "type" CDDL rule in Figure 1. The 498 semantics of the "type" form are described in Section 3.3.3. 500 As an example of a correct JTD schema of the "type" form, 502 { "type": "uint8" } 504 is a correct JTD schema, whereas 506 { "type": true } 508 and 510 { "type": "foo" } 512 are not correct schemas, as neither "true" nor the JSON string "foo" 513 are in the list of permitted values of the "type" member described in 514 the "type" CDDL rule in Figure 1. 516 2.2.4. Enum 518 The "enum" form is defined by the "enum" CDDL rule in Figure 1. The 519 semantics of the "enum" form are described in Section 3.3.4. 521 For a schema of the "enum" form to be correct, the value of the 522 member named "enum" must be a nonempty array of strings, and that 523 array must not contain duplicate values. More formally, for a schema 524 _S_ of the "enum" form: 526 o Let _E_ be the value of the member of _S_ with name "enum". 528 If the schema is correct, then there MUST NOT exist any pair of 529 elements of _E_ which encode equal string values, where string 530 equality is defined as in Section 8.3 of [RFC8259]. 532 Thus 534 { "enum": [] } 536 is not a correct JTD schema, as the value of the member named "enum" 537 must be nonempty, and 539 { "enum": ["a\\b", "a\u005Cb"] } 541 is not a correct JTD schema, as 543 "a\\b" 545 and 547 "a\u005Cb" 549 encode strings that are equal by the definition of string equality 550 given in Section 8.3 of [RFC8259]. By contrast, 552 { "enum": ["PENDING", "IN_PROGRESS", "DONE" ]} 554 is an example of a correct JTD schema of the "enum" form. 556 2.2.5. Elements 558 The "elements" form is defined by the "elements" CDDL rule in 559 Figure 1. The semantics of the "elements" form are described in 560 Section 3.3.5. 562 As an example of a correct JTD schema of the "elements" form, 564 { "elements": { "type": "uint8" }} 566 is a correct JTD schema, whereas 568 { "elements": true } 570 and 572 { "elements": { "type": "foo" } } 574 are not correct schemas, as neither 575 true 577 nor 579 { "type": "foo" } 581 are correct JTD schemas, and the value of the member named "elements" 582 must be a correct JTD schema. 584 2.2.6. Properties 586 The "properties" form is defined by the "properties" CDDL rule in 587 Figure 1. The semantics of the "properties" form are described in 588 Section 3.3.6. 590 For a schema of the "properties" form to be correct, properties must 591 either be required (i.e., in "properties") or optional (i.e., in 592 "optionalProperties"), but not both. More formally: 594 If a schema has both a member named "properties" (with value _P_) and 595 another member named "optionalProperties" (with value _O_), then _O_ 596 and _P_ MUST NOT have any member names in common; that is, no member 597 of _P_ may have a name equal to the name of any member of _O_, under 598 the definition of string equality given in Section 8.3 of [RFC8259]. 600 Thus 602 { 603 "properties": { "confusing": {} }, 604 "optionalProperties": { "confusing": {} } 605 } 607 is not a correct JTD schema, as "confusing" appears in both 608 "properties" and "optionalProperties". By contrast, 609 { 610 "properties": { 611 "users": { 612 "elements": { 613 "properties": { 614 "id": { "type": "string" }, 615 "name": { "type": "string" }, 616 "create_time": { "type": "timestamp" } 617 }, 618 "optionalProperties": { 619 "delete_time": { "type": "timestamp" } 620 } 621 } 622 }, 623 "next_page_token": { "type": "string" } 624 } 625 } 627 is a correct JTD schema of the "properties" form, describing a 628 paginated list of users and demonstrating the recursive nature of the 629 syntax of JTD schemas. 631 2.2.7. Values 633 The "values" form is defined by the "values" CDDL rule in Figure 1. 634 The semantics of the "values" form are described in Section 3.3.7. 636 As an example of a correct JTD schema of the "values" form, 638 { "values": { "type": "uint8" }} 640 is a correct JTD schema, whereas 642 { "values": true } 644 and 646 { "values": { "type": "foo" } } 648 are not correct schemas, as neither 650 true 652 nor 654 { "type": "foo" } 656 are correct JTD schemas, and the value of the member named "values" 657 must be a correct JTD schema. 659 2.2.8. Discriminator 661 The "discriminator" form is defined by the "discriminator" CDDL rule 662 in Figure 1. The semantics of the "discriminator" form are described 663 in Section 3.3.8. Understanding the semantics of the "discriminator" 664 form will likely aid the reader in understanding why this section 665 provides constraints on the "discriminator" form beyond those in 666 Figure 1. 668 To prevent ambiguous or unsatisfiable constraints on the 669 "discriminator" property of a tagged union, an additional constraint 670 on schemas of the "discriminator" form exists. For schemas of the 671 discriminator form: 673 o Let _D_ be the member of the schema with the name "discriminator". 675 o Let _M_ be the member of the schema with the name "mapping". 677 If the schema is correct, then all member values _S_ of _M_ will be 678 schemas of the "properties" form. For each member _P_ of _S_ whose 679 name equals "properties" or "optionalProperties", _P_'s value, which 680 must be an object, MUST NOT contain any members whose name equals 681 _D_'s value. 683 Thus 685 { 686 "discriminator": "event_type", 687 "mapping": { 688 "is_event_type_a_string_or_a_float32?": { 689 "properties": { "event_type": { "type": "float32" }} 690 } 691 } 692 } 694 and 696 { 697 "discriminator": "event_type", 698 "mapping": { 699 "is_event_type_a_string_or_an_optional_float32?": { 700 "optionalProperties": { "event_type": { "type": "float32" }} 701 } 702 } 703 } 705 are incorrect schemas, as "event_type" is both the value of 706 "discriminator" and a member name in one of the "mapping" member 707 "properties" or "optionalProperties". This is ambiguous, because 708 ordinarily the "discriminator" keyword would indicate that 709 "event_type" is expected to be a string, but another part of the 710 schema specifies that "event_type" is expected to be a number. 712 JTD handles such possible ambiguity by disallowing, at the syntactic 713 level, the possibility of contradictory specifications of 714 discriminator "tags". Discriminator "tags" cannot be re-defined in 715 other parts of the schema. 717 By contrast, 719 { 720 "tag": "event_type", 721 "mapping": { 722 "account_deleted": { 723 "properties": { 724 "account_id": { "type": "string" } 725 } 726 }, 727 "account_payment_plan_changed": { 728 "properties": { 729 "account_id": { "type": "string" }, 730 "payment_plan": { "enum": ["FREE", "PAID"] } 731 }, 732 "optionalProperties": { 733 "upgraded_by": { "type": "string" } 734 } 735 } 736 } 737 } 739 is a correct schema, describing a pattern of data common in JSON- 740 based messaging systems. Section 3.3.8 provides examples of what 741 this schema accepts and rejects. 743 2.3. Extending JTD's Syntax 745 This document does not describe any extension mechanisms for JTD 746 schema validation, which is described in Section 3. However, schemas 747 are defined to optionally contain a "metadata" keyword, whose value 748 is an arbitrary JSON object. Call the members of this object 749 "metadata members". 751 Users MAY add metadata members to JTD schemas to convey information 752 that is not pertinent to validation. For example, such metadata 753 members could provide hints to code generators, or trigger some 754 special behavior for a library that generates user interfaces from 755 schemas. 757 Users SHOULD NOT expect metadata members to be understood by other 758 parties. As a result, if consistent validation with other parties is 759 a requirement, users SHOULD NOT use metadata members to affect how 760 schema validation, as described in Section 3, works. 762 Users MAY expect metadata members to be understood by other parties, 763 and MAY use metadata members to affect how schema validation works, 764 if these other parties are somehow known to support these metadata 765 members. For example, two parties may agree, out of band, that they 766 will support an extended JTD with a custom metadata member that 767 affects validation. 769 3. Semantics 771 This section describes when an instance is valid against a correct 772 JTD schema, and the error indicators to produce when an instance is 773 invalid. 775 3.1. Allowing Additional Properties 777 Users will have different desired behavior with respect to 778 "unspcecified" members in an instance. For example, consider the JTD 779 schema in Figure 2: 781 { "properties": { "a": { "type": "string" }}} 783 Figure 2: An illustrative JTD schema 785 Some users may expect that 787 {"a": "foo", "b": "bar"} 789 satisfies the schema in Figure 2. Others may disagree, as "b" is not 790 one of the properties described in the schema. In this document, 791 allowing such "unspecified" members, like "b" in this example, 792 happens when evaluation is in "allow additional properties" mode. 794 Evaluation of a schema does not allow additional properties by 795 default, but can be overridden by having the schema include a member 796 named "additionalProperties", where that member has a value of 797 "true". 799 More formally: evaluation of a schema _S_ is in "allow additional 800 properties" mode if there exists a member of _S_ whose name equals 801 "additionalProperties", and whose value is a boolean "true". 802 Otherwise, evaluation of _S_ is not in "allow additional properties" 803 mode. 805 See Section 3.3.6 for how allowing unknown properties affects schema 806 evaluation, but briefly, the schema 808 { "properties": { "a": { "type": "string" }}} 810 rejects 812 { "a": "foo", "b": "bar" } 814 However, the schema 816 { 817 "additionalProperties": true, 818 "properties": { "a": { "type": "string" }} 819 } 821 accepts 823 { "a": "foo", "b": "bar" } 825 Note that "additionalProperties" does not get "inherited" by sub- 826 schemas. For example, the JTD schema 828 { 829 "additionalProperties": true, 830 "properties": { 831 "a": { 832 "properties": { 833 "b": { "type": "string" } 834 } 835 } 836 } 837 } 839 accepts 841 { "a": { "b": "c" }, "foo": "bar" } 843 but rejects 845 { "a": { "b": "c", "foo": "bar" }} 847 because the "additionalProperties" at the root level does not affect 848 the behavior of sub-schemas. 850 Note from Figure 1 that only schemas of the "properties" form may 851 have a member named "additionalProperties". 853 3.2. Errors 855 To facilitate consistent validation error handling, this document 856 specifies a standard error indicator format. Implementations SHOULD 857 support producing error indicators in this standard form. 859 The standard error indicator format is a JSON array. The order of 860 the elements of this array is not specified. The elements of this 861 array are JSON objects with: 863 o A member with the name "instancePath", whose value is a JSON 864 string encoding a JSON Pointer. This JSON Pointer will point to 865 the part of the instance that was rejected. 867 o A member with the name "schemaPath", whose value is a JSON string 868 encoding a JSON Pointer. This JSON Pointer will point to the part 869 of the schema that rejected the instance. 871 The values for "instancePath" and "schemaPath" depend on the form of 872 the schema, and are described in detail in Section 3.3. 874 3.3. Forms 876 This section describes, for each of the eight JTD schema forms, the 877 rules dictating whether an instance is accepted, as well as the error 878 indicators to produce when an instance is invalid. 880 The forms a correct schema may take on are formally described in 881 Section 2. 883 3.3.1. Empty 885 The "empty" form is meant to describe instances whose values are 886 unknown, unpredictable, or otherwise unconstrained by the schema. 887 The syntax of the "empty" form is described in Section 2.2.1. 889 If a schema is of the empty form, then it accepts all instances. A 890 schema of the empty form will never produce any error indicators. 892 3.3.2. Ref 894 The "ref" form is for when a schema is defined in terms of something 895 in the "definitions" of the root schema. The ref form enables 896 schemas to be less repetitive, and also enables describing recursive 897 structures. The syntax of the "ref" form is described in 898 Section 2.2.2. 900 If a schema is of the ref form, then: 902 o If the schema has a member named "nullable" whose value is the 903 boolean "true", and the instance is the JSON primitive value 904 "null", then the schema accepts the instance. Otherwise: 906 o Let _B_ be the root schema containing the schema, or the schema 907 itself if it is a root schema. 909 o Let _D_ be the member of _B_ with the name "definitions". By 910 Section 2, _D_ exists. 912 o Let _R_ be the value of the schema member with the name "ref". 914 o Let _S_ be the value of the member of _D_ whose name equals _R_. 915 By Section 2.2.2, _S_ exists, and is a schema. 917 The schema accepts the instance if and only if _S_ accepts the 918 instance. Otherwise, the error indicators to return in this case are 919 the union of the error indicators from evaluating _S_ against the 920 instance. 922 For example, the schema: 924 { 925 "definitions": { "a": { "type": "float32" }}, 926 "ref": "a" 927 } 929 accepts 931 123 933 but rejects 935 null 937 with the error indicator 939 [{ "instancePath": "", "schemaPath": "/definitions/a/type" }] 941 The schema 942 { 943 "definitions": { "a": { "type": "float32" }}, 944 "ref": "a", 945 "nullable": true 946 } 948 accepts 950 null 952 because the schema has a "nullable" member, whose value is "true". 954 Note that "nullable" being "false" has no effect in any of the forms 955 described in this document. For example, the schema 957 { 958 "definitions": { "a": { "nullable": false, "type": "float32" }}, 959 "ref": "a", 960 "nullable": true 961 } 963 accepts 965 null 967 In other words, it is not the case that putting a "false" value for 968 "nullable" will ever "override" a "nullable" member in schemas of the 969 "ref" form; it is correct, though ineffectual, to have a value of 970 "false" for the "nullable" member in a schema. 972 3.3.3. Type 974 The "type" form is meant to describe instances whose value is a 975 boolean, number, string, or timestamp ([RFC3339]). The syntax of the 976 "type" form is described in Section 2.2.3. 978 If a schema is of the type form, then: 980 o If the schema has a member named "nullable" whose value is the 981 boolean "true", and the instance is the JSON primitive value 982 "null", then the schema accepts the instance. Otherwise: 984 o Let _T_ be the value of the member with the name "type". The 985 following table describes whether the instance is accepted, as a 986 function of _T_'s value: 988 +-------------------+----------------------------------------------+ 989 | If _T_ equals ... | then the instance is accepted if it is ... | 990 +-------------------+----------------------------------------------+ 991 | boolean | equal to "true" or "false" | 992 | | | 993 | float32 | a JSON number | 994 | | | 995 | float64 | a JSON number | 996 | | | 997 | int8 | See Table 2 | 998 | | | 999 | uint8 | See Table 2 | 1000 | | | 1001 | int16 | See Table 2 | 1002 | | | 1003 | uint16 | See Table 2 | 1004 | | | 1005 | int32 | See Table 2 | 1006 | | | 1007 | uint32 | See Table 2 | 1008 | | | 1009 | string | a JSON string | 1010 | | | 1011 | timestamp | a JSON string encoding a [RFC3339] timestamp | 1012 +-------------------+----------------------------------------------+ 1014 Table 1: Accepted Values for Type 1016 "float32" and "float64" are distinguished from each other in their 1017 intent. "float32" indicates data intended to be processed as an IEEE 1018 754 single-precision float, whereas "float64" indicates data intended 1019 to be processed as an IEEE 754 double-precision float. Tools which 1020 generate code from JTD schemas will likely produce different code for 1021 "float32" than for "float64". 1023 If _T_ starts with "int" or "uint", then the instance is accepted if 1024 and only if it is a JSON number encoding a value with zero fractional 1025 part. Depending on the value of _T_, this encoded number must 1026 additionally fall within a particular range: 1028 +--------+---------------------------+---------------------------+ 1029 | _T_ | Minimum Value (Inclusive) | Maximum Value (Inclusive) | 1030 +--------+---------------------------+---------------------------+ 1031 | int8 | -128 | 127 | 1032 | | | | 1033 | uint8 | 0 | 255 | 1034 | | | | 1035 | int16 | -32,768 | 32,767 | 1036 | | | | 1037 | uint16 | 0 | 65,535 | 1038 | | | | 1039 | int32 | -2,147,483,648 | 2,147,483,647 | 1040 | | | | 1041 | uint32 | 0 | 4,294,967,295 | 1042 +--------+---------------------------+---------------------------+ 1044 Table 2: Ranges for Integer Types 1046 Note that 1048 10 1050 and 1052 10.0 1054 and 1056 1.0e1 1058 encode values with zero fractional part, whereas 1060 10.5 1062 encodes a number with a non-zero fractional part. Thus the schema 1064 {"type": "int8"} 1066 accepts 1068 10 1070 and 1072 10.0 1074 and 1075 1.0e1 1077 but rejects 1079 10.5 1081 as well as 1083 false 1085 because "false" is not a number at all. 1087 If the instance is not accepted, then the error indicator for this 1088 case shall have an "instancePath" pointing to the instance, and a 1089 "schemaPath" pointing to the schema member with the name "type". 1091 For example, the schema: 1093 {"type": "boolean"} 1095 accepts 1097 false 1099 but rejects 1101 127 1103 The schema: 1105 {"type": "float32"} 1107 accepts 1109 10.5 1111 and 1113 127 1115 but rejects 1117 false 1119 The schema: 1121 {"type": "string"} 1123 accepts 1125 "1985-04-12T23:20:50.52Z" 1127 and 1129 "foo" 1131 but rejects 1133 false 1135 The schema: 1137 {"type": "timestamp"} 1139 accepts 1141 "1985-04-12T23:20:50.52Z" 1143 but rejects 1145 "foo" 1147 and 1149 false 1151 The schema: 1153 {"type": "boolean", "nullable": true} 1155 accepts 1157 null 1159 and 1161 false 1163 but rejects 1165 127 1167 In all of the examples of rejected instances given in this section, 1168 the error indicator to produce is: 1170 [{ "instancePath": "", "schemaPath": "/type" }] 1172 3.3.4. Enum 1174 The "enum" form is meant to describe instances whose value must be 1175 one of a given set of string values. The syntax of the "enum" form 1176 is described in Section 2.2.4. 1178 If a schema is of the enum form, then: 1180 o If the schema has a member named "nullable" whose value is the 1181 boolean "true", and the instance is the JSON primitive value 1182 "null", then the schema accepts the instance. Otherwise: 1184 o Let _E_ be the value of the schema member with the name "enum". 1185 The instance is accepted if and only if it is equal to one of the 1186 elements of _E_. 1188 If the instance is not accepted, then the error indicator for this 1189 case shall have an "instancePath" pointing to the instance, and a 1190 "schemaPath" pointing to the schema member with the name "enum". 1192 For example, the schema: 1194 { "enum": ["PENDING", "DONE", "CANCELED"] } 1196 Accepts 1198 "PENDING" 1200 and 1202 "DONE" 1204 and 1206 "CANCELED" 1208 but rejects all of 1210 0 1212 and 1214 1 1216 and 1218 2 1220 and 1222 "UNKNOWN" 1224 and 1226 null 1228 with the error indicator: 1230 [{ "instancePath": "", "schemaPath": "/enum" }] 1232 The schema 1234 { "enum": ["PENDING", "DONE", "CANCELED"], "nullable": true } 1236 accepts 1238 "PENDING" 1240 and 1242 null 1244 but rejects 1246 1 1248 and 1250 "UNKNOWN" 1252 with the error indicator: 1254 [{ "instancePath": "", "schemaPath": "/enum" }] 1256 3.3.5. Elements 1258 The "elements" form is meant to describe instances that must be 1259 arrays. A further sub-schema describes the elements of the array. 1260 The syntax of the "elements" form is described in Section 2.2.5. 1262 If a schema is of the elements form, then: 1264 o If the schema has a member named "nullable" whose value is the 1265 boolean "true", and the instance is the JSON primitive value 1266 "null", then the schema accepts the instance. Otherwise: 1268 o Let _S_ be the value of the schema member with the name 1269 "elements". The instance is accepted if and only if all of the 1270 following are true: 1272 * The instance is an array. Otherwise, the error indicator for 1273 this case shall have an "instancePath" pointing to the 1274 instance, and a "schemaPath" pointing to the schema member with 1275 the name "elements". 1277 * If the instance is an array, then every element of the instance 1278 must be accepted by _S_. Otherwise, the error indicators for 1279 this case are the union of all the errors arising from 1280 evaluating _S_ against elements of the instance. 1282 For example, the schema: 1284 { 1285 "elements": { 1286 "type": "float32" 1287 } 1288 } 1290 accepts 1292 [] 1294 and 1296 [1, 2, 3] 1298 but rejects 1300 null 1302 with the error indicator: 1304 [{ "instancePath": "", "schemaPath": "/elements" }] 1306 and rejects 1308 [1, 2, "foo", 3, "bar"] 1310 with the error indicators: 1312 [ 1313 { "instancePath": "/2", "schemaPath": "/elements/type" }, 1314 { "instancePath": "/4", "schemaPath": "/elements/type" } 1315 ] 1317 The schema 1319 { 1320 "elements": { 1321 "type": "float32" 1322 }, 1323 "nullable": true 1324 } 1326 accepts 1328 null 1330 and 1332 [] 1334 and 1336 [1, 2, 3] 1338 but rejects 1340 [1, 2, "foo", 3, "bar"] 1342 with the error indicators: 1344 [ 1345 { "instancePath": "/2", "schemaPath": "/elements/type" }, 1346 { "instancePath": "/4", "schemaPath": "/elements/type" } 1347 ] 1349 3.3.6. Properties 1351 The "properties" form is meant to describe JSON objects being used as 1352 a "struct". The syntax of the "properties" form is described in 1353 Section 2.2.6. 1355 If a schema is of the properties form, then: 1357 o If the schema has a member named "nullable" whose value is the 1358 boolean "true", and the instance is the JSON primitive value 1359 "null", then the schema accepts the instance. Otherwise the 1360 instance is accepted if and only if all of the following are true: 1362 o The instance is an object. 1364 Otherwise, the error indicator for this case shall have an 1365 "instancePath" pointing to the instance, and a "schemaPath" 1366 pointing to the schema member with the name "properties" if such a 1367 schema member exists; if such a member doesn't exist, "schemaPath" 1368 shall point to the schema member with the name 1369 "optionalProperties". 1371 o If the instance is an object and the schema has a member named 1372 "properties", then let _P_ be the value of the schema member named 1373 "properties". _P_, by Section 2.2.6, must be an object. For every 1374 member name in _P_, a member of the same name in the instance must 1375 exist. 1377 Otherwise, the error indicator for this case shall have an 1378 "instancePath" pointing to the instance, and a "schemaPath" 1379 pointing to the member of _P_ failing the requirement just 1380 described. 1382 o If the instance is an object, then let _P_ be the value of the 1383 schema member named "properties" (if it exists), and _O_ be the 1384 value of the schema member named "optionalProperties" (if it 1385 exists). 1387 For every member _I_ of the instance, find a member with the same 1388 name as _I_'s in _P_ or _O_. By Section 2.2.6, it is not possible 1389 for both _P_ and _O_ to have such a member. If the "discriminator 1390 tag exemption" is in effect on _I_ (see Section 3.3.8), then 1391 ignore _I_. Otherwise: 1393 * If no such member in _P_ or _O_ exists and validation is not in 1394 "allow additional properties" mode (see Section 3.1), then the 1395 instance is rejected. 1397 The error indicator for this case has an "instancePath" 1398 pointing to _I_, and a "schemaPath" pointing to the schema. 1400 * If such a member in _P_ or _O_ does exist, then call this 1401 member _S_. If _S_ rejects _I_'s value, then the instance is 1402 rejected. 1404 The error indicators for this case are the union of the error 1405 indicators from evaluating _S_ against _I_'s value. 1407 An instance may have multiple errors arising from the third and 1408 fourth bullet in the above. In this case, the error indicators are 1409 the union of the errors. 1411 For example, the schema: 1413 { 1414 "properties": { 1415 "a": { "type": "string" }, 1416 "b": { "type": "string" } 1417 }, 1418 "optionalProperties": { 1419 "c": { "type": "string" }, 1420 "d": { "type": "string" } 1421 } 1422 } 1424 accepts 1426 { "a": "foo", "b": "bar" } 1428 and 1430 { "a": "foo", "b": "bar", "c": "baz" } 1432 and 1434 { "a": "foo", "b": "bar", "c": "baz", "d": "quux" } 1436 and 1438 { "a": "foo", "b": "bar", "d": "quux" } 1440 but rejects 1442 null 1444 with the error indicator 1446 [{ "instancePath": "", "schemaPath": "/properties" }] 1448 and rejects 1450 { "b": 3, "c": 3, "e": 3 } 1452 with the error indicators 1454 [ 1455 { "instancePath": "", 1456 "schemaPath": "/properties/a" }, 1457 { "instancePath": "/b", 1458 "schemaPath": "/properties/b/type" }, 1459 { "instancePath": "/c", 1460 "schemaPath": "/optionalProperties/c/type" }, 1461 { "instancePath": "/e", 1462 "schemaPath": "" } 1463 ] 1465 If instead the schema had "additionalProperties: true", but was 1466 otherwise the same: 1468 { 1469 "properties": { 1470 "a": { "type": "string" }, 1471 "b": { "type": "string" } 1472 }, 1473 "optionalProperties": { 1474 "c": { "type": "string" }, 1475 "d": { "type": "string" } 1476 }, 1477 "additionalProperties": true 1478 } 1480 And the instance remained the same: 1482 { "b": 3, "c": 3, "e": 3 } 1484 Then the error indicators from evaluating the instance against the 1485 schema would be: 1487 [ 1488 { "instancePath": "", 1489 "schemaPath": "/properties/a" }, 1490 { "instancePath": "/b", 1491 "schemaPath": "/properties/b/type" }, 1492 { "instancePath": "/c", 1493 "schemaPath": "/optionalProperties/c/type" }, 1494 ] 1496 These are the same errors as before, except the final error 1497 (associated with the additional member named "e" in the instance) is 1498 no longer present. This is because "additionalProperties: true" 1499 enables "allow additional properties" mode on the schema. 1501 Finally, the schema: 1503 { 1504 "nullable": true, 1505 "properties": { 1506 "a": { "type": "string" }, 1507 "b": { "type": "string" } 1508 }, 1509 "optionalProperties": { 1510 "c": { "type": "string" }, 1511 "d": { "type": "string" } 1512 }, 1513 "additionalProperties": true 1514 } 1516 accepts 1518 null 1520 but rejects 1522 { "b": 3, "c": 3, "e": 3 } 1524 with the error indicators 1526 [ 1527 { "instancePath": "", 1528 "schemaPath": "/properties/a" }, 1529 { "instancePath": "/b", 1530 "schemaPath": "/properties/b/type" }, 1531 { "instancePath": "/c", 1532 "schemaPath": "/optionalProperties/c/type" }, 1533 ] 1535 3.3.7. Values 1537 The "values" form is meant to describe instances that are JSON 1538 objects being used as an associative array. The syntax of the 1539 "values" form is described in Section 2.2.7. 1541 If a schema is of the values form, then: 1543 o If the schema has a member named "nullable" whose value is the 1544 boolean "true", and the instance is the JSON primitive value 1545 "null", then the schema accepts the instance. Otherwise: 1547 o Let _S_ be the value of the schema member with the name "values". 1548 The instance is accepted if and only if all of the following are 1549 true: 1551 * The instance is an object. Otherwise, the error indicator for 1552 this case shall have an "instancePath" pointing to the 1553 instance, and a "schemaPath" pointing to the schema member with 1554 the name "values". 1556 * If the instance is an object, then every member value of the 1557 instance must be accepted by _S_. Otherwise, the error 1558 indicators for this case are the union of all the error 1559 indicators arising from evaluating _S_ against member values of 1560 the instance. 1562 For example, the schema: 1564 { 1565 "values": { 1566 "type": "float32" 1567 } 1568 } 1570 accepts 1572 {} 1574 and 1576 {"a": 1, "b": 2} 1578 but rejects 1580 null 1582 with the error indicator 1584 [{ "instancePath": "", "schemaPath": "/values" }] 1586 and rejects 1588 { "a": 1, "b": 2, "c": "foo", "d": 3, "e": "bar" } 1590 with the error indicators 1592 [ 1593 { "instancePath": "/c", "schemaPath": "/values/type" }, 1594 { "instancePath": "/e", "schemaPath": "/values/type" } 1595 ] 1597 The schema: 1599 { 1600 "nullable": true, 1601 "values": { 1602 "type": "float32" 1603 } 1604 } 1606 accepts 1608 null 1610 but rejects 1612 { "a": 1, "b": 2, "c": "foo", "d": 3, "e": "bar" } 1614 with the error indicators 1616 [ 1617 { "instancePath": "/c", "schemaPath": "/values/type" }, 1618 { "instancePath": "/e", "schemaPath": "/values/type" } 1619 ] 1621 3.3.8. Discriminator 1623 The "discriminator" form is meant to describe JSON objects being used 1624 in a fashion similar to a discriminated union construct in C-like 1625 languages. The syntax of the "discriminator" form is described in 1626 Section 2.2.8. 1628 When a schema is of the "discriminator" form, it validates: 1630 o That the instance is an object, 1632 o That the instance has a particular "tag" property, 1634 o That this "tag" property's value is a string within a set of valid 1635 values, and 1637 o That the instance satisfies another schema, where this other 1638 schema is chosen based on the value of the "tag" property. 1640 The behavior of the discriminator form is more complex than the other 1641 keywords. Readers familiar with CDDL may find the final example in 1642 Appendix B helpful in understanding its behavior. What follows in 1643 this section is a description of the discriminator form's behavior, 1644 as well as some examples. 1646 If a schema is of the "discriminator" form, then: 1648 o Let _D_ be the schema member with the name "discriminator". 1650 o Let _M_ be the schema member with the name "mapping". 1652 o Let _I_ be the instance member whose name equals _D_'s value. _I_ 1653 may, for some rejected instances, not exist. 1655 o Let _S_ be the member of _M_ whose name equals _I_'s value. _S_ 1656 may, for some rejected instances, not exist. 1658 If the schema has a member named "nullable" whose value is the 1659 boolean "true", and the instance is the JSON primitive value "null", 1660 then the schema accepts the instance. Otherwise the instance is 1661 accepted if and only if all of the following are true: 1663 o The instance is an object. 1665 Otherwise, the error indicator for this case shall have an 1666 "instancePath" pointing to the instance, and a "schemaPath" 1667 pointing to _D_. 1669 o If the instance is a JSON object, then _I_ must exist. 1671 Otherwise, the error indicator for this case shall have an 1672 "instancePath" pointing to the instance, and a "schemaPath" 1673 pointing to _D_. 1675 o If the instance is a JSON object and _I_ exists, _I_'s value must 1676 be a string. 1678 Otherwise, the error indicator for this case shall have an 1679 "instancePath" pointing to _I_, and a "schemaPath" pointing to 1680 _D_. 1682 o If the instance is a JSON object and _I_ exists and has a string 1683 value, then _S_ must exist. 1685 Otherwise, the error indicator for this case shall have an 1686 "instancePath" pointing to _I_, and a "schemaPath" pointing to 1687 _M_. 1689 o If the instance is a JSON object, _I_ exists, and _S_ exists, then 1690 the instance must satisfy _S_'s value. By Section 2, _S_'s value 1691 must be a schema of the properties form. Apply the "discriminator 1692 tag exemption" afforded in Section 3.3.6 to _I_ when evaluating 1693 whether the instance satisfies _S_'s value. 1695 Otherwise, the error indicators for this case shall be error 1696 indicators from evaluating _S_'s value against the instance, with 1697 the "discriminator tag exemption" applied to _I_. 1699 The list items above are defined in a mutually exclusive way. For 1700 any given instance and schema, exactly one of the list items above 1701 will apply. 1703 For example, the schema: 1705 { 1706 "discriminator": "version", 1707 "mapping": { 1708 "v1": { 1709 "properties": { 1710 "a": { "type": "float32" } 1711 } 1712 }, 1713 "v2": { 1714 "properties": { 1715 "a": { "type": "string" } 1716 } 1717 } 1718 } 1719 } 1721 rejects 1723 null 1725 with the error indicator 1727 [{ "instancePath": "", "schemaPath": "/discriminator" }] 1729 (This is the case of the instance not being an object.) 1731 Also rejected is 1733 {} 1735 with the error indicator 1737 [{ "instancePath": "", "schemaPath": "/discriminator" }] 1739 (This is the case of _I_ not existing.) 1741 Also rejected is 1742 { "version": 1 } 1744 with the error indicator 1746 [ 1747 { 1748 "instancePath": "/version", 1749 "schemaPath": "/discriminator" 1750 } 1751 ] 1753 (This is the case of _I_ existing, but not having a string value.) 1755 Also rejected is 1757 { "version": "v3" } 1759 with the error indicator 1761 [ 1762 { 1763 "instancePath": "/version", 1764 "schemaPath": "/mapping" 1765 } 1766 ] 1768 (This is the case of _I_ existing and having a string value, but _S_ 1769 not existing.) 1771 Also rejected is 1773 { "version": "v2", "a": 3 } 1775 with the error indicator 1777 [ 1778 { 1779 "instancePath": "/a", 1780 "schemaPath": "/mapping/v2/properties/a/type" 1781 } 1782 ] 1784 (This is the case of _I_ and _S_ existing, but the instance not 1785 satisfying _S_'s value.) 1787 Finally, the schema accepts 1789 { "version": "v2", "a": "foo" } 1791 This instance is accepted even though "version" is not mentioned by 1792 "/mapping/v2/properties"; the "discriminator tag exemption" ensures 1793 that "version" is not treated as an additional property when 1794 evaluating the instance against _S_'s value. 1796 By contrast, consider the same schema, but with "nullable" being 1797 "true". The schema: 1799 { 1800 "nullable": true, 1801 "discriminator": "version", 1802 "mapping": { 1803 "v1": { 1804 "properties": { 1805 "a": { "type": "float32" } 1806 } 1807 }, 1808 "v2": { 1809 "properties": { 1810 "a": { "type": "string" } 1811 } 1812 } 1813 } 1814 } 1816 accepts 1818 null 1820 To further illustrate the discriminator form with examples, recall 1821 the JTD schema in Section 2.2.8, reproduced here: 1823 { 1824 "discriminator": "event_type", 1825 "mapping": { 1826 "account_deleted": { 1827 "properties": { 1828 "account_id": { "type": "string" } 1829 } 1830 }, 1831 "account_payment_plan_changed": { 1832 "properties": { 1833 "account_id": { "type": "string" }, 1834 "payment_plan": { "enum": ["FREE", "PAID"] } 1835 }, 1836 "optionalProperties": { 1837 "upgraded_by": { "type": "string" } 1838 } 1839 } 1840 } 1841 } 1843 This schema accepts 1845 { "event_type": "account_deleted", "account_id": "abc-123" } 1847 and 1849 { 1850 "event_type": "account_payment_plan_changed", 1851 "account_id": "abc-123", 1852 "payment_plan": "PAID" 1853 } 1855 and 1857 { 1858 "event_type": "account_payment_plan_changed", 1859 "account_id": "abc-123", 1860 "payment_plan": "PAID", 1861 "upgraded_by": "users/mkhwarizmi" 1862 } 1864 but rejects 1866 {} 1868 with the error indicator 1870 [{ "instancePath": "", "schemaPath": "/discriminator" }] 1872 and rejects 1874 { "event_type": "some_other_event_type" } 1876 with the error indicator 1878 [ 1879 { 1880 "instancePath": "/event_type", 1881 "schemaPath": "/mapping" 1882 } 1883 ] 1885 and rejects 1887 { "event_type": "account_deleted" } 1889 with the error indicator 1891 [{ 1892 "instancePath": "", 1893 "schemaPath": "/mapping/account_deleted/properties/account_id" 1894 }] 1896 and rejects 1898 { 1899 "event_type": "account_payment_plan_changed", 1900 "account_id": "abc-123", 1901 "payment_plan": "PAID", 1902 "xxx": "asdf" 1903 } 1905 with the error indicator 1907 [{ 1908 "instancePath": "/xxx", 1909 "schemaPath": "/mapping/account_payment_plan_changed" 1910 }] 1912 4. IANA Considerations 1914 No IANA considerations. 1916 5. Security Considerations 1918 Implementations of JTD will necessarily be manipulating JSON data. 1919 Therefore, the security considerations of [RFC8259] are all relevant 1920 here. 1922 Implementations which evaluate user-inputted schemas SHOULD implement 1923 mechanisms to detect, and abort, circular references which might 1924 cause a naive implementation to go into an infinite loop. Without 1925 such mechanisms, implementations may be vulnerable to denial-of- 1926 service attacks. 1928 6. References 1930 6.1. Normative References 1932 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1933 Requirement Levels", BCP 14, RFC 2119, 1934 DOI 10.17487/RFC2119, March 1997, 1935 . 1937 [RFC3339] Klyne, G. and C. Newman, "Date and Time on the Internet: 1938 Timestamps", RFC 3339, DOI 10.17487/RFC3339, July 2002, 1939 . 1941 [RFC6901] Bryan, P., Ed., Zyp, K., and M. Nottingham, Ed., 1942 "JavaScript Object Notation (JSON) Pointer", RFC 6901, 1943 DOI 10.17487/RFC6901, April 2013, 1944 . 1946 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 1947 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 1948 May 2017, . 1950 [RFC8259] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data 1951 Interchange Format", STD 90, RFC 8259, 1952 DOI 10.17487/RFC8259, December 2017, 1953 . 1955 [RFC8610] Birkholz, H., Vigano, C., and C. Bormann, "Concise Data 1956 Definition Language (CDDL): A Notational Convention to 1957 Express Concise Binary Object Representation (CBOR) and 1958 JSON Data Structures", RFC 8610, DOI 10.17487/RFC8610, 1959 June 2019, . 1961 6.2. Informative References 1963 [I-D.handrews-json-schema] 1964 Wright, A., Andrews, H., Hutton, B., and G. Dennis, "JSON 1965 Schema: A Media Type for Describing JSON Documents", 1966 draft-handrews-json-schema-02 (work in progress), 1967 September 2019. 1969 [OPENAPI] OpenAPI Initiative, "OpenAPI Specification", October 2019, 1970 . 1972 [RFC7071] Borenstein, N. and M. Kucherawy, "A Media Type for 1973 Reputation Interchange", RFC 7071, DOI 10.17487/RFC7071, 1974 November 2013, . 1976 [RFC7493] Bray, T., Ed., "The I-JSON Message Format", RFC 7493, 1977 DOI 10.17487/RFC7493, March 2015, 1978 . 1980 Appendix A. Other Considerations 1982 This appendix is not normative. 1984 This section describes possible features which are intentionally left 1985 out of JSON Type Definition, and justifies why these features are 1986 omitted. 1988 A.1. Support for 64-bit Numbers 1990 This document does not allow "int64" or "uint64" as values for the 1991 JTD "type" keyword (see Section 2.2.3 and Section 3.3.3). Such 1992 hypothetical "int64" or "uint64" types would behave like "int32" or 1993 "uint32" (respectively), but with the range of values associated with 1994 64-bit instead of 32-bit integers, that is: 1996 o "int64" would accept numbers between -(2**63) and (2**63)-1 1998 o "uint64" would accept numbers between 0 and (2**64)-1 2000 Users of "int64" and "uint64" would likely expect that the full range 2001 of signed or unsigned 64-bit integers could interoperably be 2002 transmitted as JSON without loss of precision. But this assumption 2003 is likely to be incorrect, for the reasons given in Section 2.2 of 2004 [RFC7493]. 2006 "int64" and "uint64" likely would have led users to falsely assume 2007 that the full range of 64-bit integers can be interoperably processed 2008 as JSON without loss of precision. To avoid leading users astray, 2009 JTD omits "int64" and "uint64". 2011 A.2. Support for Non-Root Definitions 2013 This document disallows the "definitions" keyword from appearing 2014 outside of root schemas (see Figure 1). Conceivably, this document 2015 could have instead allowed "definitions" to appear on any schema, 2016 even non-root ones. Under this alternative design, "ref"s would 2017 resolve to a definition in the "nearest" (i.e., most nested) schema 2018 which both contained the "ref" and which had a suitably-named 2019 "definitions" member. 2021 For instance, under this alternative approach, one could define 2022 schemas like the one in Figure 3: 2024 { 2025 "properties": { 2026 "foo": { 2027 "definitions": { 2028 "user": { "properties": { "user_id": {"type": "string" }}} 2029 }, 2030 "ref": "user" 2031 }, 2032 "bar": { 2033 "definitions": { 2034 "user": { "properties": { "user_id": {"type": "string" }}} 2035 }, 2036 "ref": "user" 2037 }, 2038 "baz": { 2039 "definitions": { 2040 "user": { "properties": { "userId": {"type": "string" }}} 2041 }, 2042 "ref": "user" 2043 } 2044 } 2045 } 2047 Figure 3: A hypothetical schema had this document permitted non-root 2048 definitions. This is not a correct JTD schema. 2050 If schemas like that in Figure 3 were permitted, code generation from 2051 JTD schemas would be more difficult, and the generated code would be 2052 less useful. 2054 Code generation would be more difficult because it would force code 2055 generators to implement a name mangling scheme for types generated 2056 from definitions. This additional difficulty is not immense, but 2057 adds complexity to an otherwise relatively trivial task. 2059 Generated code would be less useful because generated, mangled struct 2060 names are less pithy than human-defined struct names. For instance, 2061 the "user" definitions in Figure 3 might have been generated into 2062 types named "PropertiesFooUser", "PropertiesBarUser", and 2063 "PropertiesBazUser"; obtuse names like these are less useful to 2064 human-written code than names like "User". 2066 Furthermore, even though "PropertiesFooUser" and "PropertiesBarUser" 2067 would be essentially identical, they would not be interchangeable in 2068 many statically-typed programming languages. A code generator could 2069 attempt to circumvent this by deduplicating identical definitions, 2070 but then the user might be confused as to why the subtly distinct 2071 "PropertiesBazUser", defined from a schema allowing a property named 2072 "userId" (not "user_id"), was not deduplicated. 2074 Because there seem to be implementation and usability challenges 2075 associated with non-root definitions, and because it would be easier 2076 to later amend JTD to permit for non-root definitions than to later 2077 amend JTD to prohibit them, this document does not permit non-root 2078 definitions in JTD schemas. 2080 Appendix B. Comparison with CDDL 2082 This appendix is not normative. 2084 To aid the reader familiar with CDDL, this section illustrates how 2085 JTD works by presenting JTD schemas and CDDL schemas which accept and 2086 reject the same instances. 2088 The JTD schema: 2090 {} 2092 accepts the same instances as the CDDL rule: 2094 root = any 2096 The JTD schema: 2098 { 2099 "definitions": { 2100 "a": { "elements": { "ref": "b" }}, 2101 "b": { "type": "float32" } 2102 }, 2103 "elements": { 2104 "ref": "a" 2105 } 2106 } 2108 accepts the same instances as the CDDL rule: 2110 root = [* a] 2112 a = [* b] 2113 b = number 2115 The JTD schema: 2117 { "enum": ["PENDING", "DONE", "CANCELED"]} 2119 accepts the same instances as the CDDL rule: 2121 root = "PENDING" / "DONE" / "CANCELED" 2123 The JTD schema: 2125 {"type": "boolean"} 2127 accepts the same instances as the CDDL rule: 2129 root = bool 2131 The JTD schemas: 2133 {"type": "float32"} 2135 and 2137 {"type": "float64"} 2139 both accept the same instances as the CDDL rule: 2141 root = number 2143 The JTD schema: 2145 {"type": "string"} 2147 accepts the same instances as the CDDL rule: 2149 root = tstr 2151 The JTD schema: 2153 {"type": "timestamp"} 2155 accepts the same instances as the CDDL rule: 2157 root = tdate 2159 The JTD schema: 2161 { "elements": { "type": "float32" }} 2163 accepts the same instances as the CDDL rule: 2165 root = [* number] 2167 The JTD schema: 2169 { 2170 "properties": { 2171 "a": { "type": "boolean" }, 2172 "b": { "type": "float32" } 2173 }, 2174 "optionalProperties": { 2175 "c": { "type": "string" }, 2176 "d": { "type": "timestamp" } 2177 } 2178 } 2180 accepts the same instances as the CDDL rule: 2182 root = { a: bool, b: number, ? c: tstr, ? d: tdate } 2184 The JTD schema: 2186 { "values": { "type": "float32" }} 2188 accepts the same instances as the CDDL rule: 2190 root = { * tstr => number } 2192 Finally, the JTD schema: 2194 { 2195 "discriminator": "a", 2196 "mapping": { 2197 "foo": { 2198 "properties": { 2199 "b": { "type": "float32" } 2200 } 2201 }, 2202 "bar": { 2203 "properties": { 2204 "b": { "type": "string" } 2205 } 2206 } 2207 } 2208 } 2210 accepts the same instances as the CDDL rule: 2212 root = { a: "foo", b: number } / { a: "bar", b: tstr } 2214 Appendix C. Examples 2216 This appendix is not normative. 2218 As a demonstration of JTD, in Figure 4 is a JTD schema closely 2219 equivalent to the plain-English definition "reputation-object" 2220 described in Section 6.2.2 of [RFC7071]: 2222 { 2223 "properties": { 2224 "application": { "type": "string" }, 2225 "reputons": { 2226 "elements": { 2227 "additionalProperties": true, 2228 "properties": { 2229 "rater": { "type": "string" }, 2230 "assertion": { "type": "string" }, 2231 "rated": { "type": "string" }, 2232 "rating": { "type": "float32" }, 2233 }, 2234 "optionalProperties": { 2235 "confidence": { "type": "float32" }, 2236 "normal-rating": { "type": "float32" }, 2237 "sample-size": { "type": "float64" }, 2238 "generated": { "type": "float64" }, 2239 "expires": { "type": "float64" } 2240 } 2241 } 2242 } 2243 } 2244 } 2246 Figure 4: A JTD schema describing "reputation-object" from 2247 Section 6.6.2 of [RFC7071] 2249 This schema does not enforce the requirement that "sample-size", 2250 "generated", and "expires" be unbounded positive integers. It does 2251 not express the limitation that "rating", "confidence", and "normal- 2252 rating" should not have more than three decimal places of precision. 2254 The example in Figure 4 can be compared against the equivalent 2255 example in Appendix H of [RFC8610]. 2257 Acknowledgments 2259 Carsten Bormann provided lots of useful guidance and feedback on 2260 JTD's design and the structure of this document. 2262 Evgeny Poberezkin suggested the addition of "nullable", and 2263 thoroughly vetted this document for mistakes and opportunities for 2264 simplification. 2266 Tim Bray suggested the current "ref" model, and the addition of 2267 "enum". Anders Rundgren suggested extending "type" to have more 2268 support for numerical types. James Manger suggested additional 2269 clarifying examples of how integer types work. Adrian Farrel 2270 suggested many improvements to help make this document clearer. 2272 Members of the IETF JSON mailing list - in particular, Pete Cordell, 2273 Phillip Hallam-Baker, Nico Williams, John Cowan, Rob Sayre, and Erik 2274 Wilde - provided lots of useful feedback. 2276 OpenAPI's "discriminator" object [OPENAPI] inspired the 2277 "discriminator" form. [I-D.handrews-json-schema] influenced various 2278 parts of JTD's early design. 2280 Author's Address 2282 Ulysse Carion 2283 Segment.io, Inc 2284 100 California Street 2285 San Francisco 94111 2286 United States of America 2288 Email: ulysse@segment.com