Re: [OAUTH-WG] Defining a maximum token length?
Anthony Nadalin <tonynad@microsoft.com> Fri, 09 April 2010 21:01 UTC
Return-Path: <tonynad@microsoft.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E491F3A679C for <oauth@core3.amsl.com>; Fri, 9 Apr 2010 14:01:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jzOCRqD2cvVP for <oauth@core3.amsl.com>; Fri, 9 Apr 2010 14:01:45 -0700 (PDT)
Received: from smtp.microsoft.com (mail2.microsoft.com [131.107.115.215]) by core3.amsl.com (Postfix) with ESMTP id D4A2F3A63EC for <oauth@ietf.org>; Fri, 9 Apr 2010 14:01:44 -0700 (PDT)
Received: from TK5EX14CASC130.redmond.corp.microsoft.com (157.54.52.9) by TK5-EXGWY-E802.partners.extranet.microsoft.com (10.251.56.168) with Microsoft SMTP Server (TLS) id 8.2.176.0; Fri, 9 Apr 2010 14:01:40 -0700
Received: from TK5EX14MBXC103.redmond.corp.microsoft.com ([169.254.3.164]) by TK5EX14CASC130.redmond.corp.microsoft.com ([157.54.52.9]) with mapi; Fri, 9 Apr 2010 14:01:40 -0700
From: Anthony Nadalin <tonynad@microsoft.com>
To: Brian Eaton <beaton@google.com>, Luke Shepard <lshepard@facebook.com>
Thread-Topic: [OAUTH-WG] Defining a maximum token length?
Thread-Index: AQHKv+NqeBNkDGZuLk6fvcZcrhAM6pIakGKAgACWUgD//6iHcA==
Date: Fri, 09 Apr 2010 21:01:39 +0000
Message-ID: <A08279DC79B11C48AD587060CD93977125EFF072@TK5EX14MBXC103.redmond.corp.microsoft.com>
References: <fd6741651003091550t5a464496r57aae9a60c516599@mail.gmail.com> <2513A610118CC14C8E622C376C8DEC93D54D66D95B@SC-MBXC1.TheFacebook.com> <p2ldaf5b9571004091212zb1693ed1g2dd592f27b996538@mail.gmail.com>
In-Reply-To: <p2ldaf5b9571004091212zb1693ed1g2dd592f27b996538@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Defining a maximum token length?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Apr 2010 21:01:46 -0000
I would actually like to see the inclusion of reference tokens here also, I do think that the 255 character limit is too restrictive and needs to be revisited. -----Original Message----- From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Brian Eaton Sent: Friday, April 09, 2010 12:12 PM To: Luke Shepard Cc: OAuth WG Subject: Re: [OAUTH-WG] Defining a maximum token length? On Fri, Apr 9, 2010 at 3:14 AM, Luke Shepard <lshepard@facebook.com> wrote: > Let's finish off the thread on token length limits. > > In summary, David Recordon proposed a length limit of 255 characters due to database length limits ("blobs versus shorter and indexable types such as varchars"). Several people were opposed to the 255 length limit. However, there was general favor of a limit, but just it should be a bit longer. > > So, what is a reasonable limit for the token length? 1k? 2k? 4k? 5mb? I suggest some language like this: > > Access tokens MUST be less than 2KB. <snip> > - SAML > (http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf) > "Persistent name identifier values MUST NOT exceed a length of 256 characters." Note that access tokens are more like SAML assertions (which have no size limits) than persistent name identifiers. Persistent name identifiers are basically user ids. Anyone who is using access tokens in web delegation flows is going to need to be careful of size limits. But there are a bunch of use cases for access tokens outside of those flows. So would it make sense to give size recommendations based on the profile being used? Cheers, Brian _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Defining a maximum token length? David Recordon
- Re: [OAUTH-WG] Defining a maximum token length? Chuck Mortimore
- Re: [OAUTH-WG] Defining a maximum token length? Marius Scurtescu
- Re: [OAUTH-WG] Defining a maximum token length? David Recordon
- Re: [OAUTH-WG] Defining a maximum token length? Dick Hardt
- Re: [OAUTH-WG] Defining a maximum token length? Ethan Jewett
- Re: [OAUTH-WG] Defining a maximum token length? Dick Hardt
- Re: [OAUTH-WG] Defining a maximum token length? David Recordon
- Re: [OAUTH-WG] Defining a maximum token length? Dick Hardt
- Re: [OAUTH-WG] Defining a maximum token length? Marius Scurtescu
- Re: [OAUTH-WG] Defining a maximum token length? David Recordon
- Re: [OAUTH-WG] Defining a maximum token length? Dick Hardt
- Re: [OAUTH-WG] Defining a maximum token length? Torsten Lodderstedt
- Re: [OAUTH-WG] Defining a maximum token length? Luke Shepard
- Re: [OAUTH-WG] Defining a maximum token length? Brian Eaton
- Re: [OAUTH-WG] Defining a maximum token length? Torsten Lodderstedt
- Re: [OAUTH-WG] Defining a maximum token length? David Waite
- Re: [OAUTH-WG] Defining a maximum token length? Luke Shepard
- Re: [OAUTH-WG] Defining a maximum token length? Brian Eaton
- Re: [OAUTH-WG] Defining a maximum token length? Justin Smith
- Re: [OAUTH-WG] Defining a maximum token length? John Kemp
- Re: [OAUTH-WG] Defining a maximum token length? Moritz Maisel
- Re: [OAUTH-WG] Defining a maximum token length? John Kemp
- Re: [OAUTH-WG] Defining a maximum token length? Paul Lindner
- Re: [OAUTH-WG] Defining a maximum token length? John Kemp
- Re: [OAUTH-WG] Defining a maximum token length? Paul Lindner
- Re: [OAUTH-WG] Defining a maximum token length? jbemmel
- Re: [OAUTH-WG] Defining a maximum token length? Marius Scurtescu
- Re: [OAUTH-WG] Defining a maximum token length? Luke Shepard
- Re: [OAUTH-WG] Defining a maximum token length? Brian Eaton
- Re: [OAUTH-WG] Defining a maximum token length? Anthony Nadalin
- Re: [OAUTH-WG] Defining a maximum token length? Allen Tom
- Re: [OAUTH-WG] Defining a maximum token length? Eran Hammer-Lahav
- Re: [OAUTH-WG] Defining a maximum token length? Torsten Lodderstedt
- Re: [OAUTH-WG] Defining a maximum token length? Torsten Lodderstedt
- Re: [OAUTH-WG] Defining a maximum token length? John Kemp
- Re: [OAUTH-WG] Defining a maximum token length? Naitik Shah
- Re: [OAUTH-WG] Defining a maximum token length? Anthony Nadalin
- Re: [OAUTH-WG] Defining a maximum token length? Eliot Lear
- Re: [OAUTH-WG] Defining a maximum token length? Allen Tom
- Re: [OAUTH-WG] Defining a maximum token length? Eran Hammer-Lahav
- Re: [OAUTH-WG] Defining a maximum token length? Luke Shepard