Re: [OAUTH-WG] Defining a maximum token length?
Brian Eaton <beaton@google.com> Wed, 10 March 2010 05:15 UTC
Return-Path: <beaton@google.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6ED5A3A6B4F for <oauth@core3.amsl.com>; Tue, 9 Mar 2010 21:15:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.977
X-Spam-Level:
X-Spam-Status: No, score=-105.977 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HXAcziGESZ5B for <oauth@core3.amsl.com>; Tue, 9 Mar 2010 21:15:37 -0800 (PST)
Received: from smtp-out.google.com (smtp-out.google.com [216.239.44.51]) by core3.amsl.com (Postfix) with ESMTP id 827263A6839 for <oauth@ietf.org>; Tue, 9 Mar 2010 21:15:37 -0800 (PST)
Received: from kpbe14.cbf.corp.google.com (kpbe14.cbf.corp.google.com [172.25.105.78]) by smtp-out.google.com with ESMTP id o2A5FdPa031247 for <oauth@ietf.org>; Tue, 9 Mar 2010 21:15:41 -0800
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1268198141; bh=9vCqze/dUjFFt/vHJSIPtgaKmPE=; h=MIME-Version:In-Reply-To:References:Date:Message-ID:Subject:From: To:Cc:Content-Type:Content-Transfer-Encoding; b=M3T5Y7NrFpu4JB2v/pS6RuPzbYhbD08HBjl7wf/kA+VSLSbtGHvw0GTKDUfgWvEwW dOYPHPZeiugScjKGt0s8g==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=mime-version:in-reply-to:references:date:message-id:subject:from:to: cc:content-type:content-transfer-encoding:x-system-of-record; b=pHdnKgDKL6nu3Dj+pdTWQzTn5ivHZXP3Q8TUCCT/U3gPG5J9ZyBp8DubeoiyL5EKT CkMG5nvw7ZmuCUb4HEbnw==
Received: from qyk28 (qyk28.prod.google.com [10.241.83.156]) by kpbe14.cbf.corp.google.com with ESMTP id o2A5FR4Y029497 for <oauth@ietf.org>; Tue, 9 Mar 2010 21:15:38 -0800
Received: by qyk28 with SMTP id 28so9025099qyk.14 for <oauth@ietf.org>; Tue, 09 Mar 2010 21:15:38 -0800 (PST)
MIME-Version: 1.0
Received: by 10.220.124.149 with SMTP id u21mr70376vcr.208.1268198138287; Tue, 09 Mar 2010 21:15:38 -0800 (PST)
In-Reply-To: <fd6741651003091644x36c2b4f2tebf3ff476b054ea0@mail.gmail.com>
References: <fd6741651003091550t5a464496r57aae9a60c516599@mail.gmail.com> <74caaad21003091623i8b7c343jc3bb806fe327492d@mail.gmail.com> <fd6741651003091644x36c2b4f2tebf3ff476b054ea0@mail.gmail.com>
Date: Tue, 09 Mar 2010 21:15:38 -0800
Message-ID: <daf5b9571003092115oc0c76c9jb859db6f0984a469@mail.gmail.com>
From: Brian Eaton <beaton@google.com>
To: David Recordon <recordond@gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
X-System-Of-Record: true
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Defining a maximum token length?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Mar 2010 05:15:38 -0000
On Tue, Mar 9, 2010 at 4:44 PM, David Recordon <recordond@gmail.com> wrote: > I believe that Google wishes to encode information within access > tokens so that they can be verified in a stateless manner. Brian, how > many characters do you need? I think it would be OK to make request tokens short. They are service-specific passwords, and can/should be treated as such. For authorization servers: store cryptographically strong one-way hashes. No need to salt the hashes, because they are very high-entropy already. For clients: store them in a DB that is locked down as tight as you can get it. Plan on changing your client secret when the DBA leaves the company. (hrm, I just saw that Torsten has a use case for refresh token == encrypted blob. I am deeply suspicious.) For most deployments, access tokens are basically like session cookies. Some deployments use self-verifying cookies with keys stored server-side, other people store sessions in databases or in-memory. There are lots of fun trade-offs here. The choices you make have fundamental impacts on every facet of your systems, ranging from DNS, to load balancers, to frontends, to backend servers. The choice ripples out to impact scalability, security, latency, and availability *everywhere*. It would be a mistake for the spec to say that access tokens have to be short - that one decision impacts way too many other things. The non-opaque access token use cases (SWT, claims in access tokens) are interesting, and for those use cases access tokens can't be short either. Cheers, Brian
- [OAUTH-WG] Defining a maximum token length? David Recordon
- Re: [OAUTH-WG] Defining a maximum token length? Chuck Mortimore
- Re: [OAUTH-WG] Defining a maximum token length? Marius Scurtescu
- Re: [OAUTH-WG] Defining a maximum token length? David Recordon
- Re: [OAUTH-WG] Defining a maximum token length? Dick Hardt
- Re: [OAUTH-WG] Defining a maximum token length? Ethan Jewett
- Re: [OAUTH-WG] Defining a maximum token length? Dick Hardt
- Re: [OAUTH-WG] Defining a maximum token length? David Recordon
- Re: [OAUTH-WG] Defining a maximum token length? Dick Hardt
- Re: [OAUTH-WG] Defining a maximum token length? Marius Scurtescu
- Re: [OAUTH-WG] Defining a maximum token length? David Recordon
- Re: [OAUTH-WG] Defining a maximum token length? Dick Hardt
- Re: [OAUTH-WG] Defining a maximum token length? Torsten Lodderstedt
- Re: [OAUTH-WG] Defining a maximum token length? Luke Shepard
- Re: [OAUTH-WG] Defining a maximum token length? Brian Eaton
- Re: [OAUTH-WG] Defining a maximum token length? Torsten Lodderstedt
- Re: [OAUTH-WG] Defining a maximum token length? David Waite
- Re: [OAUTH-WG] Defining a maximum token length? Luke Shepard
- Re: [OAUTH-WG] Defining a maximum token length? Brian Eaton
- Re: [OAUTH-WG] Defining a maximum token length? Justin Smith
- Re: [OAUTH-WG] Defining a maximum token length? John Kemp
- Re: [OAUTH-WG] Defining a maximum token length? Moritz Maisel
- Re: [OAUTH-WG] Defining a maximum token length? John Kemp
- Re: [OAUTH-WG] Defining a maximum token length? Paul Lindner
- Re: [OAUTH-WG] Defining a maximum token length? John Kemp
- Re: [OAUTH-WG] Defining a maximum token length? Paul Lindner
- Re: [OAUTH-WG] Defining a maximum token length? jbemmel
- Re: [OAUTH-WG] Defining a maximum token length? Marius Scurtescu
- Re: [OAUTH-WG] Defining a maximum token length? Luke Shepard
- Re: [OAUTH-WG] Defining a maximum token length? Brian Eaton
- Re: [OAUTH-WG] Defining a maximum token length? Anthony Nadalin
- Re: [OAUTH-WG] Defining a maximum token length? Allen Tom
- Re: [OAUTH-WG] Defining a maximum token length? Eran Hammer-Lahav
- Re: [OAUTH-WG] Defining a maximum token length? Torsten Lodderstedt
- Re: [OAUTH-WG] Defining a maximum token length? Torsten Lodderstedt
- Re: [OAUTH-WG] Defining a maximum token length? John Kemp
- Re: [OAUTH-WG] Defining a maximum token length? Naitik Shah
- Re: [OAUTH-WG] Defining a maximum token length? Anthony Nadalin
- Re: [OAUTH-WG] Defining a maximum token length? Eliot Lear
- Re: [OAUTH-WG] Defining a maximum token length? Allen Tom
- Re: [OAUTH-WG] Defining a maximum token length? Eran Hammer-Lahav
- Re: [OAUTH-WG] Defining a maximum token length? Luke Shepard