Correct JSON Schema for token and add example

[garethsb]

This looks good to me.

At the moment, the "^[a-z_-]+$" object explicitly defines permissions "read" and "write" but others could be added, though they wouldn't get any schema checking. I'm not sure what the right thing to do here is. If we add "additionalProperties": false, then we'd have to version-up to allow other permissions.

[garethsb]

I'm concerned about the example "aud" claim, which includes "https://node-*.example.com".

Firstly, the documentation and schema for "aud" both say the value should be a domain name, not a URL?

Secondly, I don't believe node-*.example.com is a valid wildcard domain per RFC 4592 to which the documentation refers?

However, the usage of * in the example does seem the same as what is now defined for "x-nmos-api"...

[garethsb]

@dannymeloy Do the IS-10 doc/schema for "aud" need updating to describe that any StringOrURI is allowed as per RFC 75199 and only recommend to use fully-qualified domain name or wildcard domain name, or can we actually 'override' RFC 7519 in IS-10?

(I notice RFC 7519 also allows a single string rather than an array of strings for "aud"...)

[dannymeloy]

Think we're trying to "constrain" rather than "override" - one part of that constraining to help with interoperability was to limit the aud claim to an array. I agree they need to be altered to be in line with RFC 7519 - I assume the same also applies to the iss claim? As that also is defined in the RFC as a StringOrURI whilst its currently defined in the spec as a "DNS Name".

[garethsb]

Yes, good point, 'constrain' not 'override' is completely fair!

I don't quite understand whether our schemas should reflect our additional constraints or not, or only represent the underlying RFC specs? If so, then maybe the descriptions (that required a domain name or wildcard) were completely fine! (That is, if we do require NMOS implementations to use domain names, not just recommend it?)