Re: [OAUTH-WG] Defining a maximum token length?
Marius Scurtescu <mscurtescu@google.com> Sat, 20 March 2010 04:07 UTC
Return-Path: <mscurtescu@google.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6D6983A67EA for <oauth@core3.amsl.com>; Fri, 19 Mar 2010 21:07:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.668
X-Spam-Level:
X-Spam-Status: No, score=-104.668 tagged_above=-999 required=5 tests=[AWL=-1.310, BAYES_05=-1.11, DNS_FROM_OPENWHOIS=1.13, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SfM-7Buxm85k for <oauth@core3.amsl.com>; Fri, 19 Mar 2010 21:07:46 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [216.239.44.51]) by core3.amsl.com (Postfix) with ESMTP id 5B3AB3A67A6 for <oauth@ietf.org>; Fri, 19 Mar 2010 21:07:42 -0700 (PDT)
Received: from kpbe17.cbf.corp.google.com (kpbe17.cbf.corp.google.com [172.25.105.81]) by smtp-out.google.com with ESMTP id o2K47rVQ032099 for <oauth@ietf.org>; Fri, 19 Mar 2010 21:07:53 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1269058073; bh=trj34ImeDZVXA+1cZSEATpf93g4=; h=MIME-Version:In-Reply-To:References:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=yFB0gdF7qtRSH+ZyZaY4X5jZzK7TGZCNI1RDDoFXPTyw5SsYmceIfm/gd4zp3d+Eu GpvcSSpk9FOBSqQQOiQWg==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=mime-version:in-reply-to:references:from:date:message-id: subject:to:cc:content-type:x-system-of-record; b=ZFOWQ0iDlQpNKNVN0uulBYk2CDk+AGNzVLo2Z7mnQgTMrZzAoH5S1IUbhrPJSdzVw P5LQG91IH+GSa/m4sdTNA==
Received: from gxk1 (gxk1.prod.google.com [10.202.11.1]) by kpbe17.cbf.corp.google.com with ESMTP id o2K47pgZ030971 for <oauth@ietf.org>; Fri, 19 Mar 2010 21:07:52 -0700
Received: by gxk1 with SMTP id 1so1023698gxk.16 for <oauth@ietf.org>; Fri, 19 Mar 2010 21:07:51 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.150.162.3 with SMTP id k3mr1933932ybe.318.1269058071019; Fri, 19 Mar 2010 21:07:51 -0700 (PDT)
In-Reply-To: <20100319134413.juq5w93kis80gwsw@webmail.versatel.nl>
References: <20100319134413.juq5w93kis80gwsw@webmail.versatel.nl>
From: Marius Scurtescu <mscurtescu@google.com>
Date: Sat, 20 Mar 2010 00:07:29 -0400
Message-ID: <74caaad21003192107k5527971at3286cc24d3a3b6a5@mail.gmail.com>
To: jbemmel@zonnet.nl
Content-Type: text/plain; charset="ISO-8859-1"
X-System-Of-Record: true
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Defining a maximum token length?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 20 Mar 2010 04:07:48 -0000
On Fri, Mar 19, 2010 at 8:44 AM, <jbemmel@zonnet.nl> wrote: > Hi, > > It appears that people agree excessive token length could be an issue for > interoperability, but opinions vary on how long tokens could/should/must be. > Relatively long tokens will occur when encoding data associated with the > user (access rights, group memberships, etc.), and integrity protection / > encryption techniques (relevant when tokens would be transmitted using plain > HTTP) could also lead to long tokens. > > Instead of agreeing/standardizing on a limit for token lengths, how about > specifying a parameter in which the client declares the maximum token length > it can accept? That way, at least potential interop problems due to long > tokens can be detected; the Authentication server can subsequently return an > error response if the token it would issue exceeds the client's max length Why can't the client just check the length of the returned token and decide if it can use it or not? Much simpler than adding one extra parameter and error code. Also, the authorization server could specify the length range for its tokens in its documentation, so clients would know what to expect before implementing any code. Marius
- [OAUTH-WG] Defining a maximum token length? David Recordon
- Re: [OAUTH-WG] Defining a maximum token length? Chuck Mortimore
- Re: [OAUTH-WG] Defining a maximum token length? Marius Scurtescu
- Re: [OAUTH-WG] Defining a maximum token length? David Recordon
- Re: [OAUTH-WG] Defining a maximum token length? Dick Hardt
- Re: [OAUTH-WG] Defining a maximum token length? Ethan Jewett
- Re: [OAUTH-WG] Defining a maximum token length? Dick Hardt
- Re: [OAUTH-WG] Defining a maximum token length? David Recordon
- Re: [OAUTH-WG] Defining a maximum token length? Dick Hardt
- Re: [OAUTH-WG] Defining a maximum token length? Marius Scurtescu
- Re: [OAUTH-WG] Defining a maximum token length? David Recordon
- Re: [OAUTH-WG] Defining a maximum token length? Dick Hardt
- Re: [OAUTH-WG] Defining a maximum token length? Torsten Lodderstedt
- Re: [OAUTH-WG] Defining a maximum token length? Luke Shepard
- Re: [OAUTH-WG] Defining a maximum token length? Brian Eaton
- Re: [OAUTH-WG] Defining a maximum token length? Torsten Lodderstedt
- Re: [OAUTH-WG] Defining a maximum token length? David Waite
- Re: [OAUTH-WG] Defining a maximum token length? Luke Shepard
- Re: [OAUTH-WG] Defining a maximum token length? Brian Eaton
- Re: [OAUTH-WG] Defining a maximum token length? Justin Smith
- Re: [OAUTH-WG] Defining a maximum token length? John Kemp
- Re: [OAUTH-WG] Defining a maximum token length? Moritz Maisel
- Re: [OAUTH-WG] Defining a maximum token length? John Kemp
- Re: [OAUTH-WG] Defining a maximum token length? Paul Lindner
- Re: [OAUTH-WG] Defining a maximum token length? John Kemp
- Re: [OAUTH-WG] Defining a maximum token length? Paul Lindner
- Re: [OAUTH-WG] Defining a maximum token length? jbemmel
- Re: [OAUTH-WG] Defining a maximum token length? Marius Scurtescu
- Re: [OAUTH-WG] Defining a maximum token length? Luke Shepard
- Re: [OAUTH-WG] Defining a maximum token length? Brian Eaton
- Re: [OAUTH-WG] Defining a maximum token length? Anthony Nadalin
- Re: [OAUTH-WG] Defining a maximum token length? Allen Tom
- Re: [OAUTH-WG] Defining a maximum token length? Eran Hammer-Lahav
- Re: [OAUTH-WG] Defining a maximum token length? Torsten Lodderstedt
- Re: [OAUTH-WG] Defining a maximum token length? Torsten Lodderstedt
- Re: [OAUTH-WG] Defining a maximum token length? John Kemp
- Re: [OAUTH-WG] Defining a maximum token length? Naitik Shah
- Re: [OAUTH-WG] Defining a maximum token length? Anthony Nadalin
- Re: [OAUTH-WG] Defining a maximum token length? Eliot Lear
- Re: [OAUTH-WG] Defining a maximum token length? Allen Tom
- Re: [OAUTH-WG] Defining a maximum token length? Eran Hammer-Lahav
- Re: [OAUTH-WG] Defining a maximum token length? Luke Shepard