IETF Logo Mail Archive

Re: [OAUTH-WG] Defining a maximum token length?

Luke Shepard <lshepard@facebook.com> Fri, 09 April 2010 10:16 UTC

Return-Path: <lshepard@facebook.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5D20E3A682D for <oauth@core3.amsl.com>; Fri, 9 Apr 2010 03:16:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.265
X-Spam-Level:
X-Spam-Status: No, score=-3.265 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MVmGxz6IyJhi for <oauth@core3.amsl.com>; Fri, 9 Apr 2010 03:16:07 -0700 (PDT)
Received: from mailout-sf2p.facebook.com (mailout-snc1.facebook.com [69.63.179.25]) by core3.amsl.com (Postfix) with ESMTP id 07A053A69D4 for <oauth@ietf.org>; Fri, 9 Apr 2010 03:15:30 -0700 (PDT)
Received: from mail.thefacebook.com ([192.168.18.212]) by pp02.snc1.tfbnw.net (8.14.3/8.14.3) with ESMTP id o39AEnVl021362 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT) for <oauth@ietf.org>; Fri, 9 Apr 2010 03:14:50 -0700
Received: from sc-hub06.TheFacebook.com (192.168.18.83) by sc-hub04.TheFacebook.com (192.168.18.212) with Microsoft SMTP Server (TLS) id 14.0.682.1; Fri, 9 Apr 2010 03:14:17 -0700
Received: from SC-MBXC1.TheFacebook.com ([192.168.18.102]) by sc-hub06.TheFacebook.com ([192.168.18.83]) with mapi; Fri, 9 Apr 2010 03:14:16 -0700
From: Luke Shepard <lshepard@facebook.com>
To: OAuth WG <oauth@ietf.org>
Date: Fri, 09 Apr 2010 03:14:15 -0700
Thread-Topic: [OAUTH-WG] Defining a maximum token length?
Thread-Index: Acq/41ofxdIYK5GGSdCWqWxkbv/5oAX6JVqw
Message-ID: <2513A610118CC14C8E622C376C8DEC93D54D66D95B@SC-MBXC1.TheFacebook.com>
References: <fd6741651003091550t5a464496r57aae9a60c516599@mail.gmail.com>
In-Reply-To: <fd6741651003091550t5a464496r57aae9a60c516599@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=1.12.8161:2.4.5, 1.2.40, 4.0.166 definitions=2010-04-09_03:2010-02-06, 2010-04-09, 2010-04-08 signatures=0
Subject: Re: [OAUTH-WG] Defining a maximum token length?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Apr 2010 10:16:08 -0000

Let's finish off the thread on token length limits.

In summary, David Recordon proposed a length limit of 255 characters due to database length limits ("blobs versus shorter and indexable types such as varchars"). Several people were opposed to the 255 length limit. However, there was general favor of a limit, but just it should be a bit longer.

So, what is a reasonable limit for the token length?  1k? 2k? 4k? 5mb? I suggest some language like this:

	Access tokens MUST be less than 2KB.

Here are some representative comments from the thread:

David Recordon: 
	"The challenge is that client developers (who we really want to make OAuth dead simple for) will be forced to use less optimal storage for tokens (blobs versus shorter and indexable types such as varchars)."

Chuck Mortimore: 
	"Standards have size limits to overcome operational issues all the time."

Dick Hardt: 
	"I would not want to limit them anymore than they need to be... I do see the need to make it clear that it can be a few K or something"

Ethan Jewett: 
	"I've heard tell of Yahoo access tokens with encoded information weighing in at up to 800 characters."

Torsten Lodderstedt: 
	"For our token format, access token length would vary between 200 and 700 Bytes."

David Waite: 
	"access tokens shouldn't be required to be over an order of magnitude smaller than browser cookies or HTTP headers... there are accepted 'minimum maximums' out there - which the minimum size that user agents are expected to support, and the maximum size the server will assume be supported by an arbitrary agent."

John Kemp: 
	"Why would we want to encode such a specific implementation decision into the OAuth standard?"


And there were some cited precedents for length limits in standards:

- SAML (http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf)
  "Persistent name identifier values MUST NOT exceed a length of 256 characters."

- Email
   http://www.faqs.org/rfcs/rfc2822.html)
   There are two limits that this standard places on the number of
   characters in a line. Each line of characters MUST be no more than 
   998 characters, and SHOULD be no more than 78 characters, excluding the CRLF.

   http://www.ietf.org/rfc/rfc2821.txt
   There are several objects that have required minimum/maximum sizes.
   Every implementation MUST be able to receive objects of at least
   these sizes.  Objects larger than these sizes SHOULD be avoided when
   possible.  However, some Internet mail constructs such as encoded
   X.400 addresses [16] will often require larger objects: clients MAY
   attempt to transmit these, but MUST be prepared for a server to
   reject them if they cannot be handled by it.  To the maximum extent
   possible, implementation techniques which impose no limits on the
   length of these objects should be used.

v2.23.0 | Report a Bug | By Email