Re: [OAUTH-WG] Defining a maximum token length?
Dick Hardt <dick.hardt@gmail.com> Wed, 10 March 2010 03:25 UTC
Return-Path: <dick.hardt@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7795E3A6801 for <oauth@core3.amsl.com>; Tue, 9 Mar 2010 19:25:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lV1qt5k1-nPs for <oauth@core3.amsl.com>; Tue, 9 Mar 2010 19:25:04 -0800 (PST)
Received: from mail-iw0-f180.google.com (mail-iw0-f180.google.com [209.85.223.180]) by core3.amsl.com (Postfix) with ESMTP id CA55A3A67E1 for <oauth@ietf.org>; Tue, 9 Mar 2010 19:25:03 -0800 (PST)
Received: by iwn10 with SMTP id 10so1553892iwn.31 for <oauth@ietf.org>; Tue, 09 Mar 2010 19:25:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=BsdwBrF9jbgz5mpH8oJvuGlp899/1ABpVZjftEsuWO8=; b=t7J/N/AZRb3xQxEVGnkPCYZkkk64XeR2xNo3agzRYItVPCMztshIPl/e3CRQZ9aK3Y 6iFgsjIpQhyPTFsxC3qYukx4cWOkApfIifpyjqXdtTrj61U4NxrmkcCEOG5szRfZ1+JB nSfyBSocNyo4Ln3XzvOHqFwAYXcsDFy5mkQBU=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=FCLlMJEUjPN+WDUmzEY8ajEUVsl9uTwFex5ZQODzn0/28BEsHuMzyYpOGQ+9iBCKRW 0YEtYaJ/IVVke2fLqNEHt3TcKp555vU5pSJ+UgmniHKWWcy9Rk+fg2Pi+e5X8qGWG0xH 588xLCFIoXlGRxo2/sh0PVSq6VIsSrJNbXifw=
MIME-Version: 1.0
Received: by 10.231.147.16 with SMTP id j16mr316240ibv.42.1268191503250; Tue, 09 Mar 2010 19:25:03 -0800 (PST)
In-Reply-To: <fd6741651003091916o4c3b3a3ao4dc7871ddf7df23b@mail.gmail.com>
References: <fd6741651003091550t5a464496r57aae9a60c516599@mail.gmail.com> <74caaad21003091623i8b7c343jc3bb806fe327492d@mail.gmail.com> <12ED1FAC-B9C6-47C1-AC01-AB33D110EF8C@gmail.com> <68f4a0e81003091824n5453cf4cp151f313de5fd9c5e@mail.gmail.com> <fd6741651003091916o4c3b3a3ao4dc7871ddf7df23b@mail.gmail.com>
Date: Tue, 09 Mar 2010 19:25:03 -0800
Message-ID: <987bab591003091925g792f4e54j6c395089e343eb3@mail.gmail.com>
From: Dick Hardt <dick.hardt@gmail.com>
To: David Recordon <recordond@gmail.com>
Content-Type: multipart/alternative; boundary="001485e7c8060ef92c048169d81d"
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Defining a maximum token length?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Mar 2010 03:25:05 -0000
I understand the desire to set a max length that can easily fit into a DB. There are lots of other items I think the developer is storing that can be long as well, like URLs -- so I don't see it as a huge issue. I do see the need to make it clear that it can be a few K or something like that so that people don't assume it is shorter than it might be. -- Dick On Tue, Mar 9, 2010 at 7:16 PM, David Recordon <recordond@gmail.com> wrote: > The challenge is that client developers (who we really want to make > OAuth dead simple for) will be forced to use less optimal storage for > tokens (blobs versus shorter and indexable types such as varchars). > They also won't be able to build any assumptions around token length > into their database design. Any DBA cringes when they see the blob > type for multiple columns within a table (access token and refresh > token per user). > > Some OAuth servers will have short tokens which a client might > integrate with first and decide that a varchar(255) is reasonable to > hold tokens. They'll then run across a server with longer tokens, not > realize it, and be confused why their client isn't working when it's > due to their database silently truncating tokens after 255 characters. > > --David > > On Tue, Mar 9, 2010 at 6:24 PM, Ethan Jewett <esjewett@gmail.com> wrote: > > Agreed. I've heard tell of Yahoo access tokens with encoded > > information weighing in at up to 800 characters. I don't see anything > > necessarily wrong with this and I don't think there's much reason to > > limit it in the spec. It could incur a significant bandwidth cost, but > > since the provider is going to shoulder most of this cost the provider > > in a good position to make the tradeoff calculation. > > > > I think it would make sense to advise client library and application > > programmers to provide for the possibility of and storage of large > > tokens. We should probably reference examples of tokens seen in the > > wild and mention the technical limitations on token length from the > > HTTP protocol (with Dick outlines). I'm not sure where in the spec > > this would go, but it sounds like a good thing to include. > > > > Ethan > > > > On Tue, Mar 9, 2010 at 8:14 PM, Dick Hardt <dick.hardt@gmail.com> wrote: > >> > >> On 2010-03-09, at 4:23 PM, Marius Scurtescu wrote: > >> > >>> On Tue, Mar 9, 2010 at 3:50 PM, David Recordon <recordond@gmail.com> > wrote: > >>>> Ideally we'd limit the length of access and refresh tokens as well as > >>>> client keys and secrets to no more than 255 characters (a one byte > >>>> varchar in MySQL). > >>> > >>>> Is this an issue for anyone? > >>> > >>> That being said, I don't see a problem with limiting the lengths. > >> > >> I would not want to limit them anymore than they need to be. > >> When editing OAuth WRAP, we looked into size issues. Current limits are > HTTP header size limitations, which are 4-8K total. > >> > >> Given the ability to put all the claims needed into the Access Token, I > can see Access Tokens being 1-2K and being really useful. > >> > >> -- Dick > >> _______________________________________________ > >> OAuth mailing list > >> OAuth@ietf.org > >> https://www.ietf.org/mailman/listinfo/oauth > >> > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > > >
- [OAUTH-WG] Defining a maximum token length? David Recordon
- Re: [OAUTH-WG] Defining a maximum token length? Chuck Mortimore
- Re: [OAUTH-WG] Defining a maximum token length? Marius Scurtescu
- Re: [OAUTH-WG] Defining a maximum token length? David Recordon
- Re: [OAUTH-WG] Defining a maximum token length? Dick Hardt
- Re: [OAUTH-WG] Defining a maximum token length? Ethan Jewett
- Re: [OAUTH-WG] Defining a maximum token length? Dick Hardt
- Re: [OAUTH-WG] Defining a maximum token length? David Recordon
- Re: [OAUTH-WG] Defining a maximum token length? Dick Hardt
- Re: [OAUTH-WG] Defining a maximum token length? Marius Scurtescu
- Re: [OAUTH-WG] Defining a maximum token length? David Recordon
- Re: [OAUTH-WG] Defining a maximum token length? Dick Hardt
- Re: [OAUTH-WG] Defining a maximum token length? Torsten Lodderstedt
- Re: [OAUTH-WG] Defining a maximum token length? Luke Shepard
- Re: [OAUTH-WG] Defining a maximum token length? Brian Eaton
- Re: [OAUTH-WG] Defining a maximum token length? Torsten Lodderstedt
- Re: [OAUTH-WG] Defining a maximum token length? David Waite
- Re: [OAUTH-WG] Defining a maximum token length? Luke Shepard
- Re: [OAUTH-WG] Defining a maximum token length? Brian Eaton
- Re: [OAUTH-WG] Defining a maximum token length? Justin Smith
- Re: [OAUTH-WG] Defining a maximum token length? John Kemp
- Re: [OAUTH-WG] Defining a maximum token length? Moritz Maisel
- Re: [OAUTH-WG] Defining a maximum token length? John Kemp
- Re: [OAUTH-WG] Defining a maximum token length? Paul Lindner
- Re: [OAUTH-WG] Defining a maximum token length? John Kemp
- Re: [OAUTH-WG] Defining a maximum token length? Paul Lindner
- Re: [OAUTH-WG] Defining a maximum token length? jbemmel
- Re: [OAUTH-WG] Defining a maximum token length? Marius Scurtescu
- Re: [OAUTH-WG] Defining a maximum token length? Luke Shepard
- Re: [OAUTH-WG] Defining a maximum token length? Brian Eaton
- Re: [OAUTH-WG] Defining a maximum token length? Anthony Nadalin
- Re: [OAUTH-WG] Defining a maximum token length? Allen Tom
- Re: [OAUTH-WG] Defining a maximum token length? Eran Hammer-Lahav
- Re: [OAUTH-WG] Defining a maximum token length? Torsten Lodderstedt
- Re: [OAUTH-WG] Defining a maximum token length? Torsten Lodderstedt
- Re: [OAUTH-WG] Defining a maximum token length? John Kemp
- Re: [OAUTH-WG] Defining a maximum token length? Naitik Shah
- Re: [OAUTH-WG] Defining a maximum token length? Anthony Nadalin
- Re: [OAUTH-WG] Defining a maximum token length? Eliot Lear
- Re: [OAUTH-WG] Defining a maximum token length? Allen Tom
- Re: [OAUTH-WG] Defining a maximum token length? Eran Hammer-Lahav
- Re: [OAUTH-WG] Defining a maximum token length? Luke Shepard