IETF Logo Mail Archive

Re: [OAUTH-WG] Defining a maximum token length?

Dick Hardt <dick.hardt@gmail.com> Wed, 10 March 2010 01:14 UTC

Return-Path: <dick.hardt@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 24D9A3A677C for <oauth@core3.amsl.com>; Tue, 9 Mar 2010 17:14:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.565
X-Spam-Level:
X-Spam-Status: No, score=-2.565 tagged_above=-999 required=5 tests=[AWL=0.034, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Zen6935zgjzE for <oauth@core3.amsl.com>; Tue, 9 Mar 2010 17:14:58 -0800 (PST)
Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.159]) by core3.amsl.com (Postfix) with ESMTP id 25E953A6774 for <oauth@ietf.org>; Tue, 9 Mar 2010 17:14:57 -0800 (PST)
Received: by fg-out-1718.google.com with SMTP id 22so2469021fge.13 for <oauth@ietf.org>; Tue, 09 Mar 2010 17:14:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:subject:mime-version :content-type:from:in-reply-to:date:cc:content-transfer-encoding :message-id:references:to:x-mailer; bh=GwoatTdLQQf8f22b5onSoLatKfMlxNnZ6FPckxW1SxY=; b=Fs8+2zbZOyj46HW6Ud0OajBecUum4wx99wHxWZTy1HTPIFHiQG2XAuLJxZ5GmvCWRE 2FA1usES/iHF5HkxChTJn3ljbL8pg08kmPqAq8ifBqACVs/bJPd9el4+YBMIL07c+eBZ 2DlplBLqLnBPCyykUVhpbvYmUs13cr0gaHJ6s=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=subject:mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:x-mailer; b=vVgrXUCDack3abaK2JPp4NNYBSBRqh8wloWLAhMWMBrydEr99tdGVRpGiGSjqNmD2d ZLyTbxmAXvDnDcJz3oEbLUwxMCfplxPaDfSLr9WBe7T1r8AZc2Y4AAx++mRgQFiUgrjW zBGvKTvI+IA/REiwVoYfTlSzcqXmAMDQmLDqk=
Received: by 10.103.7.31 with SMTP id k31mr459116mui.132.1268183698937; Tue, 09 Mar 2010 17:14:58 -0800 (PST)
Received: from [10.0.0.152] ([204.153.195.166]) by mx.google.com with ESMTPS id 7sm32660721mup.3.2010.03.09.17.14.55 (version=TLSv1/SSLv3 cipher=RC4-MD5); Tue, 09 Mar 2010 17:14:58 -0800 (PST)
Mime-Version: 1.0 (Apple Message framework v1077)
Content-Type: text/plain; charset="us-ascii"
From: Dick Hardt <dick.hardt@gmail.com>
In-Reply-To: <74caaad21003091623i8b7c343jc3bb806fe327492d@mail.gmail.com>
Date: Tue, 09 Mar 2010 17:14:47 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <12ED1FAC-B9C6-47C1-AC01-AB33D110EF8C@gmail.com>
References: <fd6741651003091550t5a464496r57aae9a60c516599@mail.gmail.com> <74caaad21003091623i8b7c343jc3bb806fe327492d@mail.gmail.com>
To: Marius Scurtescu <mscurtescu@google.com>
X-Mailer: Apple Mail (2.1077)
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Defining a maximum token length?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Mar 2010 01:14:59 -0000

On 2010-03-09, at 4:23 PM, Marius Scurtescu wrote:

> On Tue, Mar 9, 2010 at 3:50 PM, David Recordon <recordond@gmail.com> wrote:
>> Ideally we'd limit the length of access and refresh tokens as well as
>> client keys and secrets to no more than 255 characters (a one byte
>> varchar in MySQL).
> 
>>  Is this an issue for anyone?
> 
> That being said, I don't see a problem with limiting the lengths.

I would not want to limit them anymore than they need to be.
When editing OAuth WRAP, we looked into size issues. Current limits are HTTP header size limitations, which are 4-8K total.

Given the ability to put all the claims needed into the Access Token, I can see Access Tokens being 1-2K and being really useful.

-- Dick

v2.23.0 | Report a Bug | By Email