IETF Logo Mail Archive

Re: [OAUTH-WG] Defining a maximum token length?

Allen Tom <atom@yahoo-inc.com> Fri, 09 April 2010 23:51 UTC

Return-Path: <atom@yahoo-inc.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 975443A69E3 for <oauth@core3.amsl.com>; Fri, 9 Apr 2010 16:51:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.626
X-Spam-Level:
X-Spam-Status: No, score=-15.626 tagged_above=-999 required=5 tests=[AWL=0.243, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, MIME_QP_LONG_LINE=1.396, USER_IN_DEF_WHITELIST=-15]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eTiX2KrKNzsA for <oauth@core3.amsl.com>; Fri, 9 Apr 2010 16:51:27 -0700 (PDT)
Received: from mrout2-b.corp.re1.yahoo.com (mrout2-b.corp.re1.yahoo.com [69.147.107.21]) by core3.amsl.com (Postfix) with ESMTP id A43A53A68F1 for <oauth@ietf.org>; Fri, 9 Apr 2010 16:51:27 -0700 (PDT)
Received: from SNV-EXBH01.ds.corp.yahoo.com (snv-exbh01.ds.corp.yahoo.com [207.126.227.249]) by mrout2-b.corp.re1.yahoo.com (8.13.8/8.13.8/y.out) with ESMTP id o39Nnstx063679; Fri, 9 Apr 2010 16:49:55 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; s=serpent; d=yahoo-inc.com; c=nofws; q=dns; h=received:user-agent:date:subject:from:to:message-id: thread-topic:thread-index:in-reply-to:mime-version:content-type: content-transfer-encoding:x-originalarrivaltime; b=uw/SI9Qma5N8ACkD/7KYE5A1mpMXhrkjgahS+P6Zw719XzPpWgN4GHXuwE7bswDG
Received: from SNV-EXVS03.ds.corp.yahoo.com ([207.126.227.235]) by SNV-EXBH01.ds.corp.yahoo.com with Microsoft SMTPSVC(6.0.3790.3959); Fri, 9 Apr 2010 16:49:54 -0700
Received: from 10.72.168.69 ([10.72.168.69]) by SNV-EXVS03.ds.corp.yahoo.com ([207.126.227.239]) via Exchange Front-End Server snv-webmail.corp.yahoo.com ([207.126.227.60]) with Microsoft Exchange Server HTTP-DAV ; Fri, 9 Apr 2010 23:49:49 +0000
User-Agent: Microsoft-Entourage/12.24.0.100205
Date: Fri, 09 Apr 2010 16:49:49 -0700
From: Allen Tom <atom@yahoo-inc.com>
To: Luke Shepard <lshepard@facebook.com>, OAuth WG <oauth@ietf.org>
Message-ID: <C7E50B2D.2A788%atom@yahoo-inc.com>
Thread-Topic: [OAUTH-WG] Defining a maximum token length?
Thread-Index: AQHKv+NqeBNkDGZuLk6fvcZcrhAM6pIakGKAgACWUgD//6iHcIAAL6wx
In-Reply-To: <A08279DC79B11C48AD587060CD93977125EFF072@TK5EX14MBXC103.redmond.corp.microsoft.com>
Mime-version: 1.0
Content-type: text/plain; charset="ISO-8859-1"
Content-transfer-encoding: quoted-printable
X-OriginalArrivalTime: 09 Apr 2010 23:49:54.0617 (UTC) FILETIME=[5A7D2290:01CAD83F]
Subject: Re: [OAUTH-WG] Defining a maximum token length?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Apr 2010 23:51:28 -0000

I think a good precedent would be to use the HTTP Cookie size limit, which
is 4KB.

An OAuth Access Token is like an HTTP Authorization cookie. They're both
bearer tokens that are used as a credentials for a client to access
protected resources on behalf of the end user.

All Oauth clients have to implement HTTP anyway, so 4KB sounds like a
reasonable limit.

Allen



> On Fri, Apr 9, 2010 at 3:14 AM, Luke Shepard <lshepard@facebook.com> wrote:

>> 
>> So, what is a reasonable limit for the token length?  1k? 2k? 4k? 5mb? I
>> suggest some language like this:
>> 
>>

v2.23.0 | Report a Bug | By Email