IETF Logo Mail Archive

Re: [OAUTH-WG] Defining a maximum token length?

Anthony Nadalin <tonynad@microsoft.com> Fri, 09 April 2010 21:01 UTC

Return-Path: <tonynad@microsoft.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E491F3A679C for <oauth@core3.amsl.com>; Fri, 9 Apr 2010 14:01:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jzOCRqD2cvVP for <oauth@core3.amsl.com>; Fri, 9 Apr 2010 14:01:45 -0700 (PDT)
Received: from smtp.microsoft.com (mail2.microsoft.com [131.107.115.215]) by core3.amsl.com (Postfix) with ESMTP id D4A2F3A63EC for <oauth@ietf.org>; Fri, 9 Apr 2010 14:01:44 -0700 (PDT)
Received: from TK5EX14CASC130.redmond.corp.microsoft.com (157.54.52.9) by TK5-EXGWY-E802.partners.extranet.microsoft.com (10.251.56.168) with Microsoft SMTP Server (TLS) id 8.2.176.0; Fri, 9 Apr 2010 14:01:40 -0700
Received: from TK5EX14MBXC103.redmond.corp.microsoft.com ([169.254.3.164]) by TK5EX14CASC130.redmond.corp.microsoft.com ([157.54.52.9]) with mapi; Fri, 9 Apr 2010 14:01:40 -0700
From: Anthony Nadalin <tonynad@microsoft.com>
To: Brian Eaton <beaton@google.com>, Luke Shepard <lshepard@facebook.com>
Thread-Topic: [OAUTH-WG] Defining a maximum token length?
Thread-Index: AQHKv+NqeBNkDGZuLk6fvcZcrhAM6pIakGKAgACWUgD//6iHcA==
Date: Fri, 09 Apr 2010 21:01:39 +0000
Message-ID: <A08279DC79B11C48AD587060CD93977125EFF072@TK5EX14MBXC103.redmond.corp.microsoft.com>
References: <fd6741651003091550t5a464496r57aae9a60c516599@mail.gmail.com> <2513A610118CC14C8E622C376C8DEC93D54D66D95B@SC-MBXC1.TheFacebook.com> <p2ldaf5b9571004091212zb1693ed1g2dd592f27b996538@mail.gmail.com>
In-Reply-To: <p2ldaf5b9571004091212zb1693ed1g2dd592f27b996538@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Defining a maximum token length?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Apr 2010 21:01:46 -0000

I would actually like to see the inclusion of reference tokens here also, I do think that the 255 character limit is too restrictive and needs to be revisited.

-----Original Message-----
From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Brian Eaton
Sent: Friday, April 09, 2010 12:12 PM
To: Luke Shepard
Cc: OAuth WG
Subject: Re: [OAUTH-WG] Defining a maximum token length?

On Fri, Apr 9, 2010 at 3:14 AM, Luke Shepard <lshepard@facebook.com> wrote:
> Let's finish off the thread on token length limits.
>
> In summary, David Recordon proposed a length limit of 255 characters due to database length limits ("blobs versus shorter and indexable types such as varchars"). Several people were opposed to the 255 length limit. However, there was general favor of a limit, but just it should be a bit longer.
>
> So, what is a reasonable limit for the token length?  1k? 2k? 4k? 5mb? I suggest some language like this:
>
>        Access tokens MUST be less than 2KB.
<snip>
> - SAML 
> (http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf)
>  "Persistent name identifier values MUST NOT exceed a length of 256 characters."

Note that access tokens are more like SAML assertions (which have no size limits) than persistent name identifiers.  Persistent name identifiers are basically user ids.

Anyone who is using access tokens in web delegation flows is going to need to be careful of size limits.

But there are a bunch of use cases for access tokens outside of those flows.

So would it make sense to give size recommendations based on the profile being used?

Cheers,
Brian
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email