Re: [OAUTH-WG] Defining a maximum token length?
David Recordon <recordond@gmail.com> Wed, 10 March 2010 03:17 UTC
Return-Path: <recordond@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 69BD43A6B00 for <oauth@core3.amsl.com>; Tue, 9 Mar 2010 19:17:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A58e5yna4XoF for <oauth@core3.amsl.com>; Tue, 9 Mar 2010 19:17:24 -0800 (PST)
Received: from mail-iw0-f180.google.com (mail-iw0-f180.google.com [209.85.223.180]) by core3.amsl.com (Postfix) with ESMTP id 50DEF3A6889 for <oauth@ietf.org>; Tue, 9 Mar 2010 19:16:40 -0800 (PST)
Received: by iwn10 with SMTP id 10so1546891iwn.31 for <oauth@ietf.org>; Tue, 09 Mar 2010 19:16:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=ctIbr0R72Hmc7uZkd2zSWadMwNmAHVKT7GPfW1TXYo0=; b=aMzyuEydkhJVDU2ue8hs5S1nOtcJ+M1vNARauPVH/ErnbIj0IznjIhBOvXUhh19eP/ IWPBzna8OoxWLNcClJSSzyFC1YJB/lBUipLuCbnf2Q5CkrimZpnNMo3I0kwFxMEy+wIr j00aTnbUyzn6FiLyC/UYw4CdF9+/zOl0VSjmg=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=tpkh6SFEJ4zcGldpVsWhoeDa+S0/sWmQbov17ahnw4Fmmd1GYz/bjl0GSDf0EPBfcl jk7GA/LO4q6yNFqf2xCT2BGLawxSq1Zn+z1HnycmG9/cz+Xv64mjaaeBva4w28i9r8g7 d79yrXmDuEEo75PHH7pSJqMBYpHJUZ5qSauJQ=
MIME-Version: 1.0
Received: by 10.231.147.16 with SMTP id j16mr311527ibv.42.1268191000641; Tue, 09 Mar 2010 19:16:40 -0800 (PST)
In-Reply-To: <68f4a0e81003091824n5453cf4cp151f313de5fd9c5e@mail.gmail.com>
References: <fd6741651003091550t5a464496r57aae9a60c516599@mail.gmail.com> <74caaad21003091623i8b7c343jc3bb806fe327492d@mail.gmail.com> <12ED1FAC-B9C6-47C1-AC01-AB33D110EF8C@gmail.com> <68f4a0e81003091824n5453cf4cp151f313de5fd9c5e@mail.gmail.com>
Date: Tue, 09 Mar 2010 19:16:40 -0800
Message-ID: <fd6741651003091916o4c3b3a3ao4dc7871ddf7df23b@mail.gmail.com>
From: David Recordon <recordond@gmail.com>
To: Ethan Jewett <esjewett@gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Defining a maximum token length?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Mar 2010 03:17:26 -0000
The challenge is that client developers (who we really want to make OAuth dead simple for) will be forced to use less optimal storage for tokens (blobs versus shorter and indexable types such as varchars). They also won't be able to build any assumptions around token length into their database design. Any DBA cringes when they see the blob type for multiple columns within a table (access token and refresh token per user). Some OAuth servers will have short tokens which a client might integrate with first and decide that a varchar(255) is reasonable to hold tokens. They'll then run across a server with longer tokens, not realize it, and be confused why their client isn't working when it's due to their database silently truncating tokens after 255 characters. --David On Tue, Mar 9, 2010 at 6:24 PM, Ethan Jewett <esjewett@gmail.com> wrote: > Agreed. I've heard tell of Yahoo access tokens with encoded > information weighing in at up to 800 characters. I don't see anything > necessarily wrong with this and I don't think there's much reason to > limit it in the spec. It could incur a significant bandwidth cost, but > since the provider is going to shoulder most of this cost the provider > in a good position to make the tradeoff calculation. > > I think it would make sense to advise client library and application > programmers to provide for the possibility of and storage of large > tokens. We should probably reference examples of tokens seen in the > wild and mention the technical limitations on token length from the > HTTP protocol (with Dick outlines). I'm not sure where in the spec > this would go, but it sounds like a good thing to include. > > Ethan > > On Tue, Mar 9, 2010 at 8:14 PM, Dick Hardt <dick.hardt@gmail.com> wrote: >> >> On 2010-03-09, at 4:23 PM, Marius Scurtescu wrote: >> >>> On Tue, Mar 9, 2010 at 3:50 PM, David Recordon <recordond@gmail.com> wrote: >>>> Ideally we'd limit the length of access and refresh tokens as well as >>>> client keys and secrets to no more than 255 characters (a one byte >>>> varchar in MySQL). >>> >>>> Is this an issue for anyone? >>> >>> That being said, I don't see a problem with limiting the lengths. >> >> I would not want to limit them anymore than they need to be. >> When editing OAuth WRAP, we looked into size issues. Current limits are HTTP header size limitations, which are 4-8K total. >> >> Given the ability to put all the claims needed into the Access Token, I can see Access Tokens being 1-2K and being really useful. >> >> -- Dick >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] Defining a maximum token length? David Recordon
- Re: [OAUTH-WG] Defining a maximum token length? Chuck Mortimore
- Re: [OAUTH-WG] Defining a maximum token length? Marius Scurtescu
- Re: [OAUTH-WG] Defining a maximum token length? David Recordon
- Re: [OAUTH-WG] Defining a maximum token length? Dick Hardt
- Re: [OAUTH-WG] Defining a maximum token length? Ethan Jewett
- Re: [OAUTH-WG] Defining a maximum token length? Dick Hardt
- Re: [OAUTH-WG] Defining a maximum token length? David Recordon
- Re: [OAUTH-WG] Defining a maximum token length? Dick Hardt
- Re: [OAUTH-WG] Defining a maximum token length? Marius Scurtescu
- Re: [OAUTH-WG] Defining a maximum token length? David Recordon
- Re: [OAUTH-WG] Defining a maximum token length? Dick Hardt
- Re: [OAUTH-WG] Defining a maximum token length? Torsten Lodderstedt
- Re: [OAUTH-WG] Defining a maximum token length? Luke Shepard
- Re: [OAUTH-WG] Defining a maximum token length? Brian Eaton
- Re: [OAUTH-WG] Defining a maximum token length? Torsten Lodderstedt
- Re: [OAUTH-WG] Defining a maximum token length? David Waite
- Re: [OAUTH-WG] Defining a maximum token length? Luke Shepard
- Re: [OAUTH-WG] Defining a maximum token length? Brian Eaton
- Re: [OAUTH-WG] Defining a maximum token length? Justin Smith
- Re: [OAUTH-WG] Defining a maximum token length? John Kemp
- Re: [OAUTH-WG] Defining a maximum token length? Moritz Maisel
- Re: [OAUTH-WG] Defining a maximum token length? John Kemp
- Re: [OAUTH-WG] Defining a maximum token length? Paul Lindner
- Re: [OAUTH-WG] Defining a maximum token length? John Kemp
- Re: [OAUTH-WG] Defining a maximum token length? Paul Lindner
- Re: [OAUTH-WG] Defining a maximum token length? jbemmel
- Re: [OAUTH-WG] Defining a maximum token length? Marius Scurtescu
- Re: [OAUTH-WG] Defining a maximum token length? Luke Shepard
- Re: [OAUTH-WG] Defining a maximum token length? Brian Eaton
- Re: [OAUTH-WG] Defining a maximum token length? Anthony Nadalin
- Re: [OAUTH-WG] Defining a maximum token length? Allen Tom
- Re: [OAUTH-WG] Defining a maximum token length? Eran Hammer-Lahav
- Re: [OAUTH-WG] Defining a maximum token length? Torsten Lodderstedt
- Re: [OAUTH-WG] Defining a maximum token length? Torsten Lodderstedt
- Re: [OAUTH-WG] Defining a maximum token length? John Kemp
- Re: [OAUTH-WG] Defining a maximum token length? Naitik Shah
- Re: [OAUTH-WG] Defining a maximum token length? Anthony Nadalin
- Re: [OAUTH-WG] Defining a maximum token length? Eliot Lear
- Re: [OAUTH-WG] Defining a maximum token length? Allen Tom
- Re: [OAUTH-WG] Defining a maximum token length? Eran Hammer-Lahav
- Re: [OAUTH-WG] Defining a maximum token length? Luke Shepard