Re: [OAUTH-WG] Defining a maximum token length?
Torsten Lodderstedt <torsten@lodderstedt.net> Wed, 10 March 2010 04:44 UTC
Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 90E183A6B32 for <oauth@core3.amsl.com>; Tue, 9 Mar 2010 20:44:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.249
X-Spam-Level:
X-Spam-Status: No, score=-2.249 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_DE=0.35]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xO0GYlP1mfO3 for <oauth@core3.amsl.com>; Tue, 9 Mar 2010 20:44:20 -0800 (PST)
Received: from smtprelay01.ispgateway.de (smtprelay01.ispgateway.de [80.67.31.28]) by core3.amsl.com (Postfix) with ESMTP id 386393A6841 for <oauth@ietf.org>; Tue, 9 Mar 2010 20:44:19 -0800 (PST)
Received: from p4fff23f9.dip.t-dialin.net ([79.255.35.249] helo=[127.0.0.1]) by smtprelay01.ispgateway.de with esmtpa (Exim 4.68) (envelope-from <torsten@lodderstedt.net>) id 1NpDmR-0001QS-2L; Wed, 10 Mar 2010 05:44:23 +0100
Message-ID: <4B9723A4.9050302@lodderstedt.net>
Date: Wed, 10 Mar 2010 05:44:20 +0100
From: Torsten Lodderstedt <torsten@lodderstedt.net>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; de; rv:1.9.1.8) Gecko/20100227 Thunderbird/3.0.3
MIME-Version: 1.0
To: David Recordon <recordond@gmail.com>
References: <fd6741651003091550t5a464496r57aae9a60c516599@mail.gmail.com>
In-Reply-To: <fd6741651003091550t5a464496r57aae9a60c516599@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Df-Sender: 141509
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Defining a maximum token length?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Mar 2010 04:44:21 -0000
Hi David, I wouldn't restrict the length of a tokens to 255 characters, especially for access tokens. Our proprietary token service today uses a token type combination similar to OAUTH refresh and access tokens. Based on our experiences I would assume the following characteristics of a large-scale OAuth 2.0 implementation. Access tokens: Autonomous (w/o callback to authorization server) token validation and access control on the service side requires to put all relevant user/consumer data into the access token. So access token would contain the following data: User Id, Consumer id, context(s), validity, authentication methods, user attributes, user permissions, digital signature, token id For our token format, access token length would vary between 200 and 700 Bytes. Refresh tokens: in order to refuse refreshing requests for outdated tokens early and w/o database access, an authorization server would probably put a lot of data into refresh tokens: User Id, Consumer id, context(s), validity, authentication methods, digital signature For our token format, refresh tokens length would be about 200 Bytes. From my perspective, refresh tokens are a typical candidates for long-therm database storage on the consumer side. So limiting the length would be acceptable, if there is a real benefit. Length limitations could also be beneficially for the authorization server since it needs to lookup refresh tokens often. Regarding request payload length: For GET request there is the typical header length limitation. POST requests may contain an virtually unlimited size of data, even SAML assertion of > 10 Kb could be passed w/o any problem :-) Limiting the length of the client key is ok. The length of client secrets is somehow related to the algorithms used for consumer authentication. So a 255-chars restriction would probably raise issues when using public key crypthography. regards, Torsten. > Ideally we'd limit the length of access and refresh tokens as well as > client keys and secrets to no more than 255 characters (a one byte > varchar in MySQL). Is this an issue for anyone? > > The OAuth 1.0 protocol specifically states: > Clients should avoid making assumptions about the size of tokens and > other server-generated values, which are left undefined by this > specification. > > That seems like a poor idea when it comes to implementability of the > technology. Why did OAuth 1.0 make that decision? > > --David > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] Defining a maximum token length? David Recordon
- Re: [OAUTH-WG] Defining a maximum token length? Chuck Mortimore
- Re: [OAUTH-WG] Defining a maximum token length? Marius Scurtescu
- Re: [OAUTH-WG] Defining a maximum token length? David Recordon
- Re: [OAUTH-WG] Defining a maximum token length? Dick Hardt
- Re: [OAUTH-WG] Defining a maximum token length? Ethan Jewett
- Re: [OAUTH-WG] Defining a maximum token length? Dick Hardt
- Re: [OAUTH-WG] Defining a maximum token length? David Recordon
- Re: [OAUTH-WG] Defining a maximum token length? Dick Hardt
- Re: [OAUTH-WG] Defining a maximum token length? Marius Scurtescu
- Re: [OAUTH-WG] Defining a maximum token length? David Recordon
- Re: [OAUTH-WG] Defining a maximum token length? Dick Hardt
- Re: [OAUTH-WG] Defining a maximum token length? Torsten Lodderstedt
- Re: [OAUTH-WG] Defining a maximum token length? Luke Shepard
- Re: [OAUTH-WG] Defining a maximum token length? Brian Eaton
- Re: [OAUTH-WG] Defining a maximum token length? Torsten Lodderstedt
- Re: [OAUTH-WG] Defining a maximum token length? David Waite
- Re: [OAUTH-WG] Defining a maximum token length? Luke Shepard
- Re: [OAUTH-WG] Defining a maximum token length? Brian Eaton
- Re: [OAUTH-WG] Defining a maximum token length? Justin Smith
- Re: [OAUTH-WG] Defining a maximum token length? John Kemp
- Re: [OAUTH-WG] Defining a maximum token length? Moritz Maisel
- Re: [OAUTH-WG] Defining a maximum token length? John Kemp
- Re: [OAUTH-WG] Defining a maximum token length? Paul Lindner
- Re: [OAUTH-WG] Defining a maximum token length? John Kemp
- Re: [OAUTH-WG] Defining a maximum token length? Paul Lindner
- Re: [OAUTH-WG] Defining a maximum token length? jbemmel
- Re: [OAUTH-WG] Defining a maximum token length? Marius Scurtescu
- Re: [OAUTH-WG] Defining a maximum token length? Luke Shepard
- Re: [OAUTH-WG] Defining a maximum token length? Brian Eaton
- Re: [OAUTH-WG] Defining a maximum token length? Anthony Nadalin
- Re: [OAUTH-WG] Defining a maximum token length? Allen Tom
- Re: [OAUTH-WG] Defining a maximum token length? Eran Hammer-Lahav
- Re: [OAUTH-WG] Defining a maximum token length? Torsten Lodderstedt
- Re: [OAUTH-WG] Defining a maximum token length? Torsten Lodderstedt
- Re: [OAUTH-WG] Defining a maximum token length? John Kemp
- Re: [OAUTH-WG] Defining a maximum token length? Naitik Shah
- Re: [OAUTH-WG] Defining a maximum token length? Anthony Nadalin
- Re: [OAUTH-WG] Defining a maximum token length? Eliot Lear
- Re: [OAUTH-WG] Defining a maximum token length? Allen Tom
- Re: [OAUTH-WG] Defining a maximum token length? Eran Hammer-Lahav
- Re: [OAUTH-WG] Defining a maximum token length? Luke Shepard