diff --git a/IETF-RFC.md b/IETF-RFC.md index 339b524..82f0440 100644 --- a/IETF-RFC.md +++ b/IETF-RFC.md @@ -1677,23 +1677,40 @@ OCM Providers. | - inviteAcceptDialog | | - provider | | - publicKey | - | - tokenEndpoint | + | - publicKeys[] | + | - tokenEndPoint | +-----------------------+ | | exposes | +---------+---------+----------------------+ | | | - v v v -+------------------+ +------------------+ +------------------+ -| ResourceTypes[] | | Capabilities[] | | Criteria[] | -+------------------+ +------------------+ +------------------+ -| - name | | - enforce-mfa | | - allowlist | -| - shareTypes[] | | - exchange-token | | - denylist | -| - protocols{} | | - invite-wayf | | - http-signatures| -+------------------+ | - invites | | - invite | - | | - webdav-uri | | - token-exchange | - | +------------------+ +------------------+ + v v | ++------------------+ +------------------+ | +| ResourceTypes[] | | Capabilities[] | | ++------------------+ +------------------+ | +| - name | | - enforce-mfa | | +| - shareTypes[] | | - exchange-token | | +| - protocols{} | | - http-sig | | ++------------------+ | - invites | | + | | - notifications | | + | | - protocol-object| | + | | - webdav-uri | | + | +------------------+ | + | | + | +----------------+ + | | + | v + | +--------------------------+ + | | Criteria[] | + | +--------------------------+ + | | - allowlist | + | | - denylist | + | | - http-request-signatures| + | | - invite | + | | - token-exchange | + | +--------------------------+ + | | supports v +------------------+ diff --git a/schemas/ocm-discovery.json b/schemas/ocm-discovery.json deleted file mode 100644 index d0df119..0000000 --- a/schemas/ocm-discovery.json +++ /dev/null @@ -1,101 +0,0 @@ -{ - "title": "OCM API Discovery", - "$schema": "https://json-schema.org/draft/2020-12/schema", - "type": "object", - "properties": { - "enabled": { - "type": "boolean" - }, - "apiVersion": { - "type": "string" - }, - "endPoint": { - "type": "string", - "format": "uri" - }, - "provider": { - "type": "string" - }, - "resourceTypes": { - "type": "array", - "items": { "$ref": "#/$defs/resourceType" } - }, - "capabilities": { - "type": "array", - "description": "Capabilities values of 'exchange-token', 'webdav-uri', 'protocol-object', 'invites', 'invite-wayf' defined in draft", - "items": { - "type": "string" - } - }, - "criteria": { - "type": "array", - "description": "Criteria values of 'http-request-signatures', 'token-exchange', 'denlyist' and 'allowlist' are defined in draft", - "items": { - "type": "string" - } - }, - "publicKey": { - "$ref": "#/$defs/publicKey" - }, - "inviteAcceptDialog": { - "type": "string", - "format": "uri" - }, - "tokenEndPoint": { - "type": "string", - "format": "uri" - } - }, - "required": [ - "enabled", - "apiVersion", - "endPoint", - "resourceTypes" - ], - "$defs": { - "resourceType": { - "properties": { - "name": { - "type": "string" - }, - "shareTypes": { - "type": "array" - }, - "protocols": { "$ref": "#/$defs/protocols" } - }, - "required": ["name", "shareTypes", "protocols"] - }, - "protocols": { - "type": "object", - "minProperties": 1, - "description": "Additional protocols besides 'webdav', 'webapp' and 'datatx' may be defined.", - "properties": { - "webdav": { - "type": "string", - "pattern": "^/" - }, - "webapp": { - "type": "string", - "pattern": "^/" - }, - "datatx": { - "type": "string", - "pattern": "^/" - } - } - }, - "publicKey": { - "type": "object", - "properties": { - "keyId": { - "type": "string" - }, - "publicKeyPem": { - "type": "string" - } - }, - "required": ["keyId", "publicKeyPem" ] - - } - } -} \ No newline at end of file diff --git a/schemas/ocm-discovery.jsonc b/schemas/ocm-discovery.jsonc new file mode 100644 index 0000000..a240c17 --- /dev/null +++ b/schemas/ocm-discovery.jsonc @@ -0,0 +1,88 @@ +{ + // Discovery schema for OCM API Discovery (JSON Schema, JSONC for comments). + // + // Content source of truth: IETF-RFC.md (this repo). + // + // Mixed URL forms (per draft wording): + // - inviteAcceptDialog is a URL path (starts with "/"), resolved at the server origin. + // - tokenEndPoint is a URL (typically https://...) of the token exchange endpoint. + // + "title": "OCM API Discovery", + "$schema": "https://json-schema.org/draft/2020-12/schema", + "type": "object", + "properties": { + "enabled": { "type": "boolean" }, + "apiVersion": { "type": "string" }, + "endPoint": { "type": "string", "format": "uri" }, + "provider": { "type": "string" }, + "resourceTypes": { + "type": "array", + "items": { "$ref": "#/$defs/resourceType" } + }, + "capabilities": { + "type": "array", + "description": "Optional capability tokens (for example: enforce-mfa, exchange-token, http-sig, invites, invite-wayf, notifications, protocol-object, webdav-uri).", + "items": { "type": "string" } + }, + "criteria": { + "type": "array", + "description": "Optional criteria tokens (for example: http-request-signatures, token-exchange, denylist, allowlist, invite).", + "items": { "type": "string" } + }, + "publicKey": { "$ref": "#/$defs/publicKeyLegacy" }, + "publicKeys": { + "type": "array", + "description": "Optional public keys for RFC 9421 HTTP Message Signatures (see IETF-RFC.md).", + "items": { "$ref": "#/$defs/publicKeyRfc9421" } + }, + "inviteAcceptDialog": { + "type": "string", + "pattern": "^/", + "description": "URL path of a web page where a user can accept an invite (see IETF-RFC.md)." + }, + "tokenEndPoint": { + "type": "string", + "format": "uri", + "pattern": "^https?://", + "description": "URL of the token exchange endpoint (see IETF-RFC.md)." + } + }, + "required": ["enabled", "apiVersion", "endPoint", "resourceTypes"], + "$defs": { + "resourceType": { + "properties": { + "name": { "type": "string" }, + "shareTypes": { "type": "array" }, + "protocols": { "$ref": "#/$defs/protocols" } + }, + "required": ["name", "shareTypes", "protocols"] + }, + "protocols": { + "type": "object", + "minProperties": 1, + "description": "Additional protocols besides 'webdav', 'webapp' and 'ssh' may be defined.", + "properties": { + "webdav": { "type": "string", "pattern": "^/" }, + "webapp": { "type": "string", "pattern": "^/" }, + "ssh": { "type": "string" } + } + }, + "publicKeyLegacy": { + "type": "object", + "properties": { + "keyId": { "type": "string" }, + "publicKeyPem": { "type": "string" } + }, + "required": ["keyId", "publicKeyPem"] + }, + "publicKeyRfc9421": { + "type": "object", + "properties": { + "keyId": { "type": "string" }, + "publicKeyPem": { "type": "string" }, + "algorithm": { "type": "string" } + }, + "required": ["keyId", "publicKeyPem", "algorithm"] + } + } +} diff --git a/spec.yaml b/spec.yaml index ab7ed84..87a1f8a 100644 --- a/spec.yaml +++ b/spec.yaml @@ -448,7 +448,7 @@ components: type: array description: > Array of public keys for RFC 9421 HTTP Message Signatures. - Servers advertising the "rfc-http-sig" capability MUST provide this field. + Servers advertising the "http-sig" capability MUST provide this field. Clients SHOULD prefer RFC 9421 signatures when this capability is present. items: type: object @@ -482,7 +482,7 @@ components: type: string format: uri description: > - Optional URL path of the Token Exchange endpoint to obtain bearer tokens in exchange for codes. + Optional URL of the Token Exchange endpoint to obtain bearer tokens in exchange for codes. If the `exchange-token` capability is exposed, the tokenEndPoint MUST be advertised in the discovery response. **Token Exchange API:** @@ -499,7 +499,7 @@ components: - 400: Token denied (application/json with Error schema) See TokenRequest and TokenResponse schemas for the complete data structure. - example: /index.php/apps/sciencemesh/token + example: https://cloud.example.org/ocm/token inviteAcceptDialog: type: string description: > @@ -789,7 +789,7 @@ components: sharedSecret: hfiuhworzwnur98d3wjiwhr viewMode: read ssh: - accessType: ['datatx'] + accessTypes: ['datatx'] uri: extuser@cloud.example.org:/7c084226-d9a1-11e6-bf26-cec0c932ce01 NewNotification: type: object