IETF Logo Mail Archive

Re: [OAUTH-WG] Defining a maximum token length?

Naitik Shah <n@daaku.org> Sat, 10 April 2010 19:49 UTC

Return-Path: <naitiks@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1EC383A688C for <oauth@core3.amsl.com>; Sat, 10 Apr 2010 12:49:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.976
X-Spam-Level:
X-Spam-Status: No, score=-1.976 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v0Obhq7nOGsO for <oauth@core3.amsl.com>; Sat, 10 Apr 2010 12:49:51 -0700 (PDT)
Received: from mail-iw0-f189.google.com (mail-iw0-f189.google.com [209.85.223.189]) by core3.amsl.com (Postfix) with ESMTP id 190DB3A6823 for <oauth@ietf.org>; Sat, 10 Apr 2010 12:49:50 -0700 (PDT)
Received: by iwn27 with SMTP id 27so3375282iwn.5 for <oauth@ietf.org>; Sat, 10 Apr 2010 12:49:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:from:date:x-google-sender-auth:received:message-id :subject:to:cc:content-type; bh=oGDcLFYZrRr75+KDK7ViN5HhdQI6F7wpatgsVrSoduA=; b=l8vkxMinQicN5sU/Nn/mkqXoadW3X3twWl1hyNhdw6Jz4vMTLztHKH/3uFnonHrVtK w6yE4k4Al0w107F4zBeuOsdEH22xkqPGvsO56lRf0ZzKtp1R5oKn0z38cXXp18qKwnwM SLsB4YGvFxjQcduPQm2H/RsMFS9HCTRt57/ZM=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type; b=qAtx7SWgAbF1DthqHU1QSBSnEtlkNx0XsR9sCAGJ7z8GdyIHF1X1apASwjiNBSpszd 1HGCUM8V1jawXaac5sGugKiDywYVZNTEdF+eY56CxrUwQ+pIuqcyEB3i4GYmDQ9gg/4c j/Nfh4lQBb+t2WZ++LHxtFG8OO3vFY5X07Qns=
MIME-Version: 1.0
Sender: naitiks@gmail.com
Received: by 10.231.170.65 with HTTP; Sat, 10 Apr 2010 12:49:22 -0700 (PDT)
In-Reply-To: <31A9294B-3583-4BA0-8A56-FC8A3C00FED5@jkemp.net>
References: <C7E50B2D.2A788%atom@yahoo-inc.com> <4BC0234D.8040700@lodderstedt.net> <31A9294B-3583-4BA0-8A56-FC8A3C00FED5@jkemp.net>
From: Naitik Shah <n@daaku.org>
Date: Sat, 10 Apr 2010 12:49:22 -0700
X-Google-Sender-Auth: 157409855f980e59
Received: by 10.231.160.195 with SMTP id o3mr847653ibx.32.1270928982129; Sat, 10 Apr 2010 12:49:42 -0700 (PDT)
Message-ID: <s2ifbb12ae41004101249y5b10f321xb1d2c6daa41220c9@mail.gmail.com>
To: John Kemp <john@jkemp.net>
Content-Type: multipart/alternative; boundary="0050450163d583bc570483e7369b"
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Defining a maximum token length?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 10 Apr 2010 20:05:15 -0000

+1 small tokens.

JSON-P in IE to access protected resources has a limit of some 2000 bytes of
input. While the OAuth 1.0 did not have a practical client side profile, we
now do have one. This at least opens up the possibility of building browser
based OAuth applications that do not need to proxy API requests to jump the
cross domain boundary. To make this practically useful, the tokens would
need to be small leaving as many of the 2000 bytes as possible for the API
request itself.


-Naitik

On Sat, Apr 10, 2010 at 6:37 AM, John Kemp <john@jkemp.net> wrote:

> On Apr 10, 2010, at 3:05 AM, Torsten Lodderstedt wrote:
>
> > Hi Allen,
> >
> > as I already posted, I don't think a size limit is a good idea.
>
> +1
>
> >
> > Regarding your example: As per RFC-2109, 4KB is the minimum size that
> must be supported by user agents. The maximum size is not restricted:
> > "In general, user agents' cookie support should have no fixed limits.".
> >
> > Moreover, other HTTP authentication mechanisms need much more than 4KB,
> For example, SPNEGO authentication headers can be up to 12392 bytes.
>
> Cheers,
>
> - johnk
>
> >
> > regards,
> > Torsten.
> >
> > Am 10.04.2010 01:49, schrieb Allen Tom:
> >> I think a good precedent would be to use the HTTP Cookie size limit,
> which
> >> is 4KB.
> >>
> >> An OAuth Access Token is like an HTTP Authorization cookie. They're both
> >> bearer tokens that are used as a credentials for a client to access
> >> protected resources on behalf of the end user.
> >>
> >> All Oauth clients have to implement HTTP anyway, so 4KB sounds like a
> >> reasonable limit.
> >>
> >> Allen
> >>
> >>
> >>
> >>
> >>> On Fri, Apr 9, 2010 at 3:14 AM, Luke Shepard<lshepard@facebook.com>
>  wrote:
> >>>
> >>
> >>>> So, what is a reasonable limit for the token length?  1k? 2k? 4k? 5mb?
> I
> >>>> suggest some language like this:
> >>>>
> >>>>
> >>>>
> >> _______________________________________________
> >> OAuth mailing list
> >> OAuth@ietf.org
> >> https://www.ietf.org/mailman/listinfo/oauth
> >>
> >
> >
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email