Re: [OAUTH-WG] Defining a maximum token length?

Agreed. Seems that consensus is no limit.

From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Eran Hammer-Lahav
Sent: Monday, April 12, 2010 1:24 PM
To: OAuth WG
Subject: Re: [OAUTH-WG] Defining a maximum token length?

Unless the chairs decide otherwise, I'd say we're done discussing this... The consensus is no limits but to offer guidance so that developers on both side are aware of the need to communicate token sizes.

EHL

On 4/12/10 9:32 AM, "Allen Tom" <atom@yahoo-inc.com> wrote:
+1  on having no limits for the Access Token length.

I  fully acknowledge that shorter is better - in the case where access tokens are passed on the URL as query parameters (aka jsonp), there are practical URL length limits. Bigger tokens consume more network resources, which can be a severe issue for mobile devices. Likewise, not defining the token size makes it harder to client developers to size their database.

That being said, given that the underlying APIs that are protected by OAuth2 are generally proprietary and are not interoperable, it's really up to the Service Provider to determine the appropriate requirements and limits for their Access tokens.

Allen

On 4/12/10 2:23 AM, "Anthony Nadalin" <tonynad@microsoft.com> wrote:
+1

From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Torsten Lodderstedt
Sent: Friday, April 09, 2010 11:57 PM
To: Eran Hammer-Lahav
Cc: OAuth WG
Subject: Re: [OAUTH-WG] Defining a maximum token length?

+1 no restriction, please

256 is much too short

Am 10.04.2010 07:16, schrieb Eran Hammer-Lahav:
I would argue that for the spec to provide a token size limit that is greater than 255 would cause more harm than good. This is not to say I am supporting the 255 limit (I take no position on the matter - yeah, that happens rarely). If the spec provided a 4K limit, client libraries are likely to codify that which will make them extremely wasteful for 99% of the popular cases on the web today. A 4K limit doesn't really improve interop since the limit is so high, no one is likely to issue even bigger tokens with public APIs.

The 255 limit keeps the token size within the most effective database field size limit for this type of identifier. If we cannot reach consensus on this size limit, I don't think the spec should say anything. However, if I wrote a client library, I would make it use a 255 default size limit and require a custom configuration to enable it to use something else.

So my proposal is 255 or no size guidance/restriction.

EHL

On 4/9/10 4:49 PM, "Allen Tom" <atom@yahoo-inc.com> wrote:
I think a good precedent would be to use the HTTP Cookie size limit, which
is 4KB.

An OAuth Access Token is like an HTTP Authorization cookie. They're both
bearer tokens that are used as a credentials for a client to access
protected resources on behalf of the end user.

All Oauth clients have to implement HTTP anyway, so 4KB sounds like a
reasonable limit.

Allen

> On Fri, Apr 9, 2010 at 3:14 AM, Luke Shepard <lshepard@facebook.com> wrote:

>>
>> So, what is a reasonable limit for the token length?  1k? 2k? 4k? 5mb? I
>> suggest some language like this:
>>
>>

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

________________________________
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth