Add authentication validation to the JSON schema (#2646)

sander1095 · Aniruddh25 · RubenCerna2079 · web-flow · commit d05fecb483d3 · 2025-06-17T18:38:28.000-07:00
## Why make this change? Closes #2643 The JSON schema does not contain a list of auth providers, nor does it validate the use of the `jwt` property. This results in a suboptimal developer experience. By adding this list and validation, developers have an easier time learning about all the options and can be more productive. ## What is this change? - This change modifies the JSON schema with a list of providers and validation of the providers and the `jwt` property. [StackOverflow helped me](https://stackoverflow.com/q/79557612/3013479) with the finer details of the validation. - I also added tests to validate my changes. - Migrate from `NJsonSchema` to `Newtonsoft.Json.Schema` because `NJsonSchema` [doesn't validate `anyof + const` correctly](RicoSuter/NJsonSchema#1596). `Newtonsoft.Json.Schema` does work in this case. - Changed `https` to `http` in the schema file to be spec compliant. Draft-07's original URL is http-based. - If you try to validate a document with the `https` url, it will fail because of the unknown schema URL. - This does **not** impact security. The schema should just be a placeholder for the json validator binary to know what rules to use, and it's redirected to https when you navigate to it, anyway. ## How was this tested? - [x] Integration Tests - [x] Unit Tests ## Sample Request(s) ![image](https://github.com/user-attachments/assets/3d70b56f-78e4-4f10-90ab-4f8a1356ce6c) ![image](https://github.com/user-attachments/assets/37b11c95-d443-4ee2-81c2-a54365a47cbe) ![image](https://github.com/user-attachments/assets/a04030cf-cec8-41cc-80a3-78e17f155bb6) --------- Co-authored-by: Aniruddh Munde <anmunde@microsoft.com> Co-authored-by: RubenCerna2079 <32799214+RubenCerna2079@users.noreply.github.com>
diff --git a/docs/design/dab-validate.md b/docs/design/dab-validate.md
@@ -51,4 +51,3 @@ The following types of validations are run on the config file (in the order spec
 
 ## Limitations
 1. Currently the `validate` command support is limited to single datasource config file.
-2. `NJsonSchema.Net` package currently has an open issue that overlooks/ ignores "if then else" conditions in json schema for attribute checks. (refer [here](https://github.com/RicoSuter/NJsonSchema/issues/1240))
diff --git a/schemas/dab.draft.schema.json b/schemas/dab.draft.schema.json
@@ -1,5 +1,5 @@
 {
-  "$schema": "https://json-schema.org/draft-07/schema",
+  "$schema": "http://json-schema.org/draft-07/schema",
   "$id": "https://github.com/Azure/data-api-builder/releases/download/vmajor.minor.patch/dab.draft.schema.json",
   "title": "Data API builder",
   "description": "Schema for Data API builder engine",
@@ -277,8 +277,33 @@
               "additionalProperties": false,
               "properties": {
                 "provider": {
-                  "type": "string",
                   "description": "The name of authentication provider",
+                  "oneOf": [
+                    {
+                      "const": "StaticWebApps",
+                      "description": "Authentication provided by Azure Static Web Apps."
+                    },
+                    {
+                      "const": "EntraID",
+                      "description": "Authentication provided by Microsoft Entra ID (formerly Azure AD). Use the JWT property to configure this provider."
+                    },
+                    {
+                      "const": "Simulator",
+                      "description": "Simulated authentication for development and testing purposes."
+                    },
+                    {
+                      "const": "AppService",
+                      "description": "Authentication provided by Azure App Service."
+                    },
+                    {
+                      "const": "AzureAD",
+                      "description": "Synonymous with the EntraID value. Use the JWT property to configure this provider."
+                    },
+                    {
+                      "const": "Custom",
+                      "description": "Custom authentication provider defined by the user. Use the JWT property to configure the custom provider."
+                    }
+                  ],
                   "default": "StaticWebApps"
                 },
                 "jwt": {
@@ -291,9 +316,29 @@
                     "issuer": {
                       "type": "string"
                     }
-                  }
+                  },
+                  "required": ["audience", "issuer"]
                 }
-              }
+              },
+              "allOf": [
+                {
+                  "$comment": "We want the user to provide the JWT property when the provider requires it, and omit JWT when the provider does not require it.",
+                  "if": {
+                    "properties": {
+                      "provider": {
+                        "anyOf": [
+                          { "const": "EntraID" },
+                          { "const": "AzureAD" },
+                          { "const": "Custom" }
+                        ]
+                      }
+                    },
+                    "required": ["provider"]
+                  },
+                  "then": { "required": ["jwt"] },
+                  "else": { "properties": { "jwt": false } }
+                }
+              ]
             }
           }
         },
diff --git a/src/Cli.Tests/ValidateConfigTests.cs b/src/Cli.Tests/ValidateConfigTests.cs
@@ -151,6 +151,7 @@ public void TestValidateConfigFailsWithInvalidGraphQLDepthLimit(object? depthLim
     [DataTestMethod]
     [DataRow("AzureAD")]
     [DataRow("EntraID")]
+    [DataRow("Custom")]
     public void TestMissingJwtProperties(string authScheme)
     {
         string ConfigWithJwtAuthentication = $"{{{SAMPLE_SCHEMA_DATA_SOURCE}, {RUNTIME_SECTION_JWT_AUTHENTICATION_PLACEHOLDER}, \"entities\": {{ }}}}";
diff --git a/src/Core/Azure.DataApiBuilder.Core.csproj b/src/Core/Azure.DataApiBuilder.Core.csproj
@@ -17,7 +17,6 @@
     <PackageReference Include="HotChocolate.Types.NodaTime" />
     <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" />
     <PackageReference Include="Microsoft.IdentityModel.Validators" />
-    <PackageReference Include="NJsonSchema" />
     <PackageReference Include="Microsoft.Azure.Cosmos" />
     <PackageReference Include="Microsoft.Data.SqlClient" />
     <PackageReference Include="Microsoft.Extensions.Configuration.Binder" />
@@ -28,6 +27,7 @@
     <PackageReference Include="MSTest.TestFramework" />
     <PackageReference Include="MySqlConnector" />
     <PackageReference Include="Newtonsoft.Json" />
+    <PackageReference Include="Newtonsoft.Json.Schema" />
     <PackageReference Include="Npgsql" />
     <PackageReference Include="Polly" />
     <PackageReference Include="Swashbuckle.AspNetCore.SwaggerUI" />
diff --git a/src/Core/Configurations/JsonConfigSchemaValidator.cs b/src/Core/Configurations/JsonConfigSchemaValidator.cs
@@ -7,8 +7,8 @@
 using Azure.DataApiBuilder.Config.ObjectModel;
 using Azure.DataApiBuilder.Core.Models;
 using Microsoft.Extensions.Logging;
-using NJsonSchema;
-using NJsonSchema.Validation;
+using Newtonsoft.Json.Linq;
+using Newtonsoft.Json.Schema;
 
 namespace Azure.DataApiBuilder.Core.Configurations;
 
@@ -38,21 +38,22 @@ public JsonConfigSchemaValidator(ILogger<JsonConfigSchemaValidator> jsonSchemaVa
     /// <param name="jsonData">The JSON data to validate.</param> 
     /// <returns>A tuple containing a boolean indicating
     /// if the validation was successful and a collection of validation errors if there were any.</returns> 
-    public async Task<JsonSchemaValidationResult> ValidateJsonConfigWithSchemaAsync(string jsonSchema, string jsonData)
+    public JsonSchemaValidationResult ValidateJsonConfigWithSchema(string jsonSchema, string jsonData)
     {
         try
         {
-            JsonSchema schema = await JsonSchema.FromJsonAsync(jsonSchema);
-            ICollection<ValidationError> validationErrors = schema.Validate(jsonData, SchemaType.JsonSchema);
+            JSchema schema = JSchema.Parse(jsonSchema);
+            JToken json = JToken.Parse(jsonData, new() { CommentHandling = CommentHandling.Ignore });
+            bool isValid = json.IsValid(schema, out IList<ValidationError> errors);
 
-            if (!validationErrors.Any())
+            if (isValid)
             {
                 _logger!.LogInformation("The config satisfies the schema requirements.");
                 return new(isValid: true, errors: null);
             }
             else
             {
-                return new(isValid: false, errors: validationErrors);
+                return new(isValid: false, errors: errors);
             }
         }
         catch (Exception e)
diff --git a/src/Core/Configurations/RuntimeConfigValidator.cs b/src/Core/Configurations/RuntimeConfigValidator.cs
@@ -213,7 +213,7 @@ public async Task<JsonSchemaValidationResult> ValidateConfigSchema(RuntimeConfig
             return new JsonSchemaValidationResult(isValid: false, errors: null);
         }
 
-        return await jsonConfigSchemaValidator.ValidateJsonConfigWithSchemaAsync(jsonSchema, jsonData);
+        return jsonConfigSchemaValidator.ValidateJsonConfigWithSchema(jsonSchema, jsonData);
     }
 
     /// <summary>
diff --git a/src/Core/Models/JsonSchemaValidationResult.cs b/src/Core/Models/JsonSchemaValidationResult.cs
@@ -1,7 +1,7 @@
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT License.
 
-using NJsonSchema.Validation;
+using Newtonsoft.Json.Schema;
 
 namespace Azure.DataApiBuilder.Core.Models;
 
@@ -34,7 +34,7 @@ public JsonSchemaValidationResult(bool isValid, ICollection<ValidationError>? er
     private static string FormatSchemaValidationErrorMessage(ICollection<ValidationError> validationErrors)
     {
         return $"> Total schema validation errors: {validationErrors.Count}\n" +
-            string.Join("", validationErrors.Select(e => $"> {e} at " +
+            string.Join("", validationErrors.Select(e => $"> {e.Message} at " +
             $"{e.LineNumber}:{e.LinePosition}\n\n"));
     }
 }
diff --git a/src/Directory.Packages.props b/src/Directory.Packages.props
@@ -52,9 +52,13 @@
         <PackageVersion Include="MSTest.TestFramework" Version="3.3.1" />
         <PackageVersion Include="MySqlConnector" Version="2.1.5" />
         <PackageVersion Include="Newtonsoft.Json" Version="13.0.2" />
+        <!--
+            We use an older version of Newtonsoft.Json.Schema because newer versions depend on Newtonsoft.Json >=13.0.3
+            which is not (and can not be made) available in Microsoft Private Nuget Feeds
+        -->
+        <PackageVersion Include="Newtonsoft.Json.Schema" Version="3.0.14" />
         <PackageVersion Include="Npgsql" Version="8.0.3" />
         <PackageVersion Include="Polly" Version="7.2.3" />
-        <PackageVersion Include="NJsonSchema" Version="10.9.0" />
         <PackageVersion Include="Swashbuckle.AspNetCore.SwaggerUI" Version="6.5.0" />
         <PackageVersion Include="System.CommandLine" Version="2.0.0-beta4.22272.1" />
         <PackageVersion Include="System.Drawing.Common" Version="8.0.3" />
diff --git a/src/Service.Tests/Configuration/ConfigurationTests.cs b/src/Service.Tests/Configuration/ConfigurationTests.cs
diff --git a/src/Service.Tests/Configuration/HotReload/ConfigurationHotReloadTests.cs b/src/Service.Tests/Configuration/HotReload/ConfigurationHotReloadTests.cs

Original file line number	Diff line number	Diff line change
`@@ -51,4 +51,3 @@ The following types of validations are run on the config file (in the order spec`
`51`	`51`
`52`	`52`	`## Limitations`
`53`	`53`	1. Currently the `validate` command support is limited to single datasource config file.
`54`		-2. `NJsonSchema.Net` package currently has an open issue that overlooks/ ignores "if then else" conditions in json schema for attribute checks. (refer [here](https://github.com/RicoSuter/NJsonSchema/issues/1240))
Original file line number	Diff line number	Diff line change
`@@ -151,6 +151,7 @@ public void TestValidateConfigFailsWithInvalidGraphQLDepthLimit(object? depthLim`
`151`	`151`	`[DataTestMethod]`
`152`	`152`	`[DataRow("AzureAD")]`
`153`	`153`	`[DataRow("EntraID")]`
	`154`	`+ [DataRow("Custom")]`
`154`	`155`	`public void TestMissingJwtProperties(string authScheme)`
`155`	`156`	`{`
`156`	`157`	`string ConfigWithJwtAuthentication = $"{{{SAMPLE_SCHEMA_DATA_SOURCE}, {RUNTIME_SECTION_JWT_AUTHENTICATION_PLACEHOLDER}, \"entities\": {{ }}}}";`
Original file line number	Diff line number	Diff line change
`@@ -7,8 +7,8 @@`
`7`	`7`	`using Azure.DataApiBuilder.Config.ObjectModel;`
`8`	`8`	`using Azure.DataApiBuilder.Core.Models;`
`9`	`9`	`using Microsoft.Extensions.Logging;`
`10`		`-using NJsonSchema;`
`11`		`-using NJsonSchema.Validation;`
	`10`	`+using Newtonsoft.Json.Linq;`
	`11`	`+using Newtonsoft.Json.Schema;`
`12`	`12`
`13`	`13`	`namespace Azure.DataApiBuilder.Core.Configurations;`
`14`	`14`
`@@ -38,21 +38,22 @@ public JsonConfigSchemaValidator(ILogger<JsonConfigSchemaValidator> jsonSchemaVa`
`38`	`38`	`/// <param name="jsonData">The JSON data to validate.</param>`
`39`	`39`	`/// <returns>A tuple containing a boolean indicating`
`40`	`40`	`/// if the validation was successful and a collection of validation errors if there were any.</returns>`
`41`		`- public async Task<JsonSchemaValidationResult> ValidateJsonConfigWithSchemaAsync(string jsonSchema, string jsonData)`
	`41`	`+ public JsonSchemaValidationResult ValidateJsonConfigWithSchema(string jsonSchema, string jsonData)`
`42`	`42`	`{`
`43`	`43`	`try`
`44`	`44`	`{`
`45`		`- JsonSchema schema = await JsonSchema.FromJsonAsync(jsonSchema);`
`46`		`- ICollection<ValidationError> validationErrors = schema.Validate(jsonData, SchemaType.JsonSchema);`
	`45`	`+ JSchema schema = JSchema.Parse(jsonSchema);`
	`46`	`+ JToken json = JToken.Parse(jsonData, new() { CommentHandling = CommentHandling.Ignore });`
	`47`	`+ bool isValid = json.IsValid(schema, out IList<ValidationError> errors);`
`47`	`48`
`48`		`- if (!validationErrors.Any())`
	`49`	`+ if (isValid)`
`49`	`50`	`{`
`50`	`51`	`_logger!.LogInformation("The config satisfies the schema requirements.");`
`51`	`52`	`return new(isValid: true, errors: null);`
`52`	`53`	`}`
`53`	`54`	`else`
`54`	`55`	`{`
`55`		`- return new(isValid: false, errors: validationErrors);`
	`56`	`+ return new(isValid: false, errors: errors);`
`56`	`57`	`}`
`57`	`58`	`}`
`58`	`59`	`catch (Exception e)`
Original file line number	Diff line number	Diff line change
`@@ -213,7 +213,7 @@ public async Task<JsonSchemaValidationResult> ValidateConfigSchema(RuntimeConfig`
`213`	`213`	`return new JsonSchemaValidationResult(isValid: false, errors: null);`
`214`	`214`	`}`
`215`	`215`
`216`		`- return await jsonConfigSchemaValidator.ValidateJsonConfigWithSchemaAsync(jsonSchema, jsonData);`
	`216`	`+ return jsonConfigSchemaValidator.ValidateJsonConfigWithSchema(jsonSchema, jsonData);`
`217`	`217`	`}`
`218`	`218`
`219`	`219`	`/// <summary>`
Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`// Copyright (c) Microsoft Corporation.`
`2`	`2`	`// Licensed under the MIT License.`
`3`	`3`
`4`		`-using NJsonSchema.Validation;`
	`4`	`+using Newtonsoft.Json.Schema;`
`5`	`5`
`6`	`6`	`namespace Azure.DataApiBuilder.Core.Models;`
`7`	`7`
`@@ -34,7 +34,7 @@ public JsonSchemaValidationResult(bool isValid, ICollection<ValidationError>? er`
`34`	`34`	`private static string FormatSchemaValidationErrorMessage(ICollection<ValidationError> validationErrors)`
`35`	`35`	`{`
`36`	`36`	`return $"> Total schema validation errors: {validationErrors.Count}\n" +`
`37`		`- string.Join("", validationErrors.Select(e => $"> {e} at " +`
	`37`	`+ string.Join("", validationErrors.Select(e => $"> {e.Message} at " +`
`38`	`38`	`$"{e.LineNumber}:{e.LinePosition}\n\n"));`
`39`	`39`	`}`
`40`	`40`	`}`