Re: [OAUTH-WG] Defining a maximum token length?
Eran Hammer-Lahav <eran@hueniverse.com> Sat, 10 April 2010 05:16 UTC
Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 58AA83A6969 for <oauth@core3.amsl.com>; Fri, 9 Apr 2010 22:16:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.457
X-Spam-Level:
X-Spam-Status: No, score=-2.457 tagged_above=-999 required=5 tests=[AWL=0.141, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MNnDRqIN6h-E for <oauth@core3.amsl.com>; Fri, 9 Apr 2010 22:16:09 -0700 (PDT)
Received: from p3plex1out02.prod.phx3.secureserver.net (p3plex1out02.prod.phx3.secureserver.net [72.167.180.18]) by core3.amsl.com (Postfix) with SMTP id 180403A6819 for <oauth@ietf.org>; Fri, 9 Apr 2010 22:16:07 -0700 (PDT)
Received: (qmail 7339 invoked from network); 10 Apr 2010 05:16:03 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.19) by p3plex1out02.prod.phx3.secureserver.net with SMTP; 10 Apr 2010 05:16:03 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.20]) by P3PW5EX1HT001.EX1.SECURESERVER.NET ([72.167.180.19]) with mapi; Fri, 9 Apr 2010 22:16:03 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: Allen Tom <atom@yahoo-inc.com>, Luke Shepard <lshepard@facebook.com>, OAuth WG <oauth@ietf.org>
Date: Fri, 09 Apr 2010 22:16:00 -0700
Thread-Topic: [OAUTH-WG] Defining a maximum token length?
Thread-Index: AQHKv+NqeBNkDGZuLk6fvcZcrhAM6pIakGKAgACWUgD//6iHcIAAL6wxgABbIo4=
Message-ID: <C7E557A0.32014%eran@hueniverse.com>
In-Reply-To: <C7E50B2D.2A788%atom@yahoo-inc.com>
Accept-Language: en-US
Content-Language: en
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_C7E557A032014eranhueniversecom_"
MIME-Version: 1.0
Subject: Re: [OAUTH-WG] Defining a maximum token length?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 10 Apr 2010 05:16:15 -0000
I would argue that for the spec to provide a token size limit that is greater than 255 would cause more harm than good. This is not to say I am supporting the 255 limit (I take no position on the matter - yeah, that happens rarely). If the spec provided a 4K limit, client libraries are likely to codify that which will make them extremely wasteful for 99% of the popular cases on the web today. A 4K limit doesn't really improve interop since the limit is so high, no one is likely to issue even bigger tokens with public APIs. The 255 limit keeps the token size within the most effective database field size limit for this type of identifier. If we cannot reach consensus on this size limit, I don't think the spec should say anything. However, if I wrote a client library, I would make it use a 255 default size limit and require a custom configuration to enable it to use something else. So my proposal is 255 or no size guidance/restriction. EHL On 4/9/10 4:49 PM, "Allen Tom" <atom@yahoo-inc.com> wrote: I think a good precedent would be to use the HTTP Cookie size limit, which is 4KB. An OAuth Access Token is like an HTTP Authorization cookie. They're both bearer tokens that are used as a credentials for a client to access protected resources on behalf of the end user. All Oauth clients have to implement HTTP anyway, so 4KB sounds like a reasonable limit. Allen > On Fri, Apr 9, 2010 at 3:14 AM, Luke Shepard <lshepard@facebook.com> wrote: >> >> So, what is a reasonable limit for the token length? 1k? 2k? 4k? 5mb? I >> suggest some language like this: >> >> _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Defining a maximum token length? David Recordon
- Re: [OAUTH-WG] Defining a maximum token length? Chuck Mortimore
- Re: [OAUTH-WG] Defining a maximum token length? Marius Scurtescu
- Re: [OAUTH-WG] Defining a maximum token length? David Recordon
- Re: [OAUTH-WG] Defining a maximum token length? Dick Hardt
- Re: [OAUTH-WG] Defining a maximum token length? Ethan Jewett
- Re: [OAUTH-WG] Defining a maximum token length? Dick Hardt
- Re: [OAUTH-WG] Defining a maximum token length? David Recordon
- Re: [OAUTH-WG] Defining a maximum token length? Dick Hardt
- Re: [OAUTH-WG] Defining a maximum token length? Marius Scurtescu
- Re: [OAUTH-WG] Defining a maximum token length? David Recordon
- Re: [OAUTH-WG] Defining a maximum token length? Dick Hardt
- Re: [OAUTH-WG] Defining a maximum token length? Torsten Lodderstedt
- Re: [OAUTH-WG] Defining a maximum token length? Luke Shepard
- Re: [OAUTH-WG] Defining a maximum token length? Brian Eaton
- Re: [OAUTH-WG] Defining a maximum token length? Torsten Lodderstedt
- Re: [OAUTH-WG] Defining a maximum token length? David Waite
- Re: [OAUTH-WG] Defining a maximum token length? Luke Shepard
- Re: [OAUTH-WG] Defining a maximum token length? Brian Eaton
- Re: [OAUTH-WG] Defining a maximum token length? Justin Smith
- Re: [OAUTH-WG] Defining a maximum token length? John Kemp
- Re: [OAUTH-WG] Defining a maximum token length? Moritz Maisel
- Re: [OAUTH-WG] Defining a maximum token length? John Kemp
- Re: [OAUTH-WG] Defining a maximum token length? Paul Lindner
- Re: [OAUTH-WG] Defining a maximum token length? John Kemp
- Re: [OAUTH-WG] Defining a maximum token length? Paul Lindner
- Re: [OAUTH-WG] Defining a maximum token length? jbemmel
- Re: [OAUTH-WG] Defining a maximum token length? Marius Scurtescu
- Re: [OAUTH-WG] Defining a maximum token length? Luke Shepard
- Re: [OAUTH-WG] Defining a maximum token length? Brian Eaton
- Re: [OAUTH-WG] Defining a maximum token length? Anthony Nadalin
- Re: [OAUTH-WG] Defining a maximum token length? Allen Tom
- Re: [OAUTH-WG] Defining a maximum token length? Eran Hammer-Lahav
- Re: [OAUTH-WG] Defining a maximum token length? Torsten Lodderstedt
- Re: [OAUTH-WG] Defining a maximum token length? Torsten Lodderstedt
- Re: [OAUTH-WG] Defining a maximum token length? John Kemp
- Re: [OAUTH-WG] Defining a maximum token length? Naitik Shah
- Re: [OAUTH-WG] Defining a maximum token length? Anthony Nadalin
- Re: [OAUTH-WG] Defining a maximum token length? Eliot Lear
- Re: [OAUTH-WG] Defining a maximum token length? Allen Tom
- Re: [OAUTH-WG] Defining a maximum token length? Eran Hammer-Lahav
- Re: [OAUTH-WG] Defining a maximum token length? Luke Shepard