[request] XML (and json) schema validation

[typingincolor]

It would be useful to validate the incoming request against either an xml or json schema definition

[thibaultcha]

Hi! Appreciate suggestions coming from the community :)

Could you elaborate more on such a plugin? Maybe give a use case and eventually why such a plugin should be implemented in Kong?

I would typically expect each backend service to do its own validation, and Kong aims more at grouping common functionalities of those backend services together. Since each service is (typically) doing its own validation, I am not sure relying on Kong for it is the best use case. Again, I'm waiting on a use case because I might not see the value yet.

Thank you!

[typingincolor]

I tend to agree, I guess it depends on where you want to draw the line between your api management layer and your backend APIs. For us it is generally easier for us to change the config of the management layer than our backend systems so we generally try to get it to do as much of the heavy lifting for as possible.

Our requests have some fairly complicated xml payloads with lots of options and a reasonable sized xsd definition. Our backend APIs struggle to validate the payloads against the xsd due to various choices we have made with our tech stack - it's not impossible but it's difficult and slow.

We moved the validation to our api management layer where it was simple to add the validation (the solution we use directly supports it). It also has the advantage that it makes our backend API more simple as it knows it will get a valid shaped message and so can concentrate on the our business logic.

As aside, it also helps because our backend doesn't have to support xml payloads at all. We can validate the incoming xml against the xsd and transform it into a format that the backend understands. The simplest transformations we do are xml -> json, where the json is a subset of the xml. We have to accept a full xml message as they are pretty much an industry standard, but we're only really interested in a small part of the message. In practice, we turn on schema validation whilst we are testing with a partner and then turn it off in production as we know for the most part that the messages will be valid.

[lucamaraschi]

@thibaultcha I kind of understand you point but at the same time I think Kong should act not only as an orchestration layer but also as a security gatekeeper, which JSON schema (and XML schema) validations are part of. It would be valuable to have a plugin in Kong which enables JSON schema validation on top of the registered APIs. In this way we can centralize and offload the different applications from the validation workload which I still believe should belong to the edge of the API.

[scotchneat]

I have a similar use case to those described by @typingincolor and @lucamaraschi.

One more point I can offer is that given kong is capable of doing request/response transformation in order to orchestrate or abstract requests to backends, that makes the kong level responsible for a unique api "contract". We maintain api documentation in RAML with jsonschema to describe the requirements for requests handled by the edge/gateway (currently using OpenRepose not Kong). The ability to use the same jsonschema files to perform validation at the edge/gateway layer is tremendously attractive and would add a lot of value to the product.

The way we solve the problem now is by writing small services behind the gateway which does this validation and transformation. Obviously, this adds another hop, as well as another codebase to manage.

[vinodborole]

This would be a useful feature to have +1

[agvikashsagar]

+1. It would be great to validate the input payload in gateway, let me know if this is implemented.

[jeremyjpj0916]

If you have an xsd of the xml schema doing validation is pretty trivial if you leverage this lua lib:

https://github.com/d-led/xerceslua

^As a plugin this would be easy to implement. There is certainly value in supporting XML as its really popular in legacy/soap payload tx's, but with how Kong generally stays forward thinking I can see why this has stayed unimplemented. Also I did not see an easy lua lib that could just generally validates proper xml format without a given schema, which makes the implementation feel messy to me as no one wants to have to add an xsd schema to the plugin store in the db.

[SwethaCleo]

I used the lua json schema validators like ljsonschema & rapidjason and created a custom plugin using serverless pre-function approach as described in https://docs.konghq.com/hub/kong-inc/serverless-functions/ to achieve this.

However lua based schemas seem very basic & send only the 1st error it encounters.
Thus, it would be great to have added support within Kong to be able to upload a schema & catch json validation errors at the API Gateway before proceeding to the backend service.