Status of proposed JSON schema extensions?

[spadgett]

The Google doc for #59 mentions some JSON schema extensions:

https://docs.google.com/document/d/1-IKI-PwPnhtbK0su1UzWA_UoyaCjL8S2d6ky3Xmuwvg/edit#

It's not clear to me what the status of these are, even though the proposal in the validation through implementation phase. Specifically I'm interested in the x-servicebroker-secret extension since it has security implications.

It doesn't seem uncommon for brokers to accept passwords, access tokens, and other sensitive data as parameters, but only the broker knows which are potentially sensitive. This impacts how UIs display these values and how the platform stores them.

What is the status of the proposed x-servicebroker-secret extension? Is this something implementations can begin validating or does it require a separate proposal?

cc @pmorie @jwforres

[mattmcneeney]

We're also interested in this, and as part of the validation work we're doing for #59 we have been investigating how we could implement this.

The simplest solution we've found so far is adding a "sensitive": true field to any object for which UIs should render as a password. The key issue is, if we all agree this is a sensible addition, how should we add this to the spec?

We have considered two approaches:

1. Adding these special fields to the profiles.md file for each platform
2. Creating a meta schema that extends JSON schema draft 4 and details these extensions

We can discuss this on next weeks' call, but it would be great to hear any feedback folks have on this.

[Samze]

Also there is a bunch of discussion on this issue in the comments section here and below.

[pmorie]

We discussed this on the July 25, 2017 WG call. There's a desire to get specific information about the UI flows that are desired to help us analyze whether we can accomplish this without using the existing schema.

@spadgett can you outline some additional specifics along those lines for openshift?

[avade]

Can we repurpose this issue to the problem statement?

While it's fine for @mattmcneeney to consider this as part of the validation, I would like to see the spec released with schemas and then add this later.

[mattmcneeney]

I agree. @spadgett do you want to rename this issue so it only relates to the 'secret' field problem and put your problem and any proposed solution in a google doc? If you open up the permissions and ping me a link I'd be happy to help drop our use cases in!

[Samze]

Related issues in JSONSchema

• https://github.com/json-schema-org/json-schema-spec/issues/249
• https://github.com/json-schema-org/json-schema-spec/issues/67

[mattmcneeney]

Closing due to inactivity