IETF Logo Mail Archive

Re: [OAUTH-WG] Defining a maximum token length?

David Recordon <recordond@gmail.com> Wed, 10 March 2010 03:17 UTC

Return-Path: <recordond@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 69BD43A6B00 for <oauth@core3.amsl.com>; Tue, 9 Mar 2010 19:17:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A58e5yna4XoF for <oauth@core3.amsl.com>; Tue, 9 Mar 2010 19:17:24 -0800 (PST)
Received: from mail-iw0-f180.google.com (mail-iw0-f180.google.com [209.85.223.180]) by core3.amsl.com (Postfix) with ESMTP id 50DEF3A6889 for <oauth@ietf.org>; Tue, 9 Mar 2010 19:16:40 -0800 (PST)
Received: by iwn10 with SMTP id 10so1546891iwn.31 for <oauth@ietf.org>; Tue, 09 Mar 2010 19:16:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=ctIbr0R72Hmc7uZkd2zSWadMwNmAHVKT7GPfW1TXYo0=; b=aMzyuEydkhJVDU2ue8hs5S1nOtcJ+M1vNARauPVH/ErnbIj0IznjIhBOvXUhh19eP/ IWPBzna8OoxWLNcClJSSzyFC1YJB/lBUipLuCbnf2Q5CkrimZpnNMo3I0kwFxMEy+wIr j00aTnbUyzn6FiLyC/UYw4CdF9+/zOl0VSjmg=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=tpkh6SFEJ4zcGldpVsWhoeDa+S0/sWmQbov17ahnw4Fmmd1GYz/bjl0GSDf0EPBfcl jk7GA/LO4q6yNFqf2xCT2BGLawxSq1Zn+z1HnycmG9/cz+Xv64mjaaeBva4w28i9r8g7 d79yrXmDuEEo75PHH7pSJqMBYpHJUZ5qSauJQ=
MIME-Version: 1.0
Received: by 10.231.147.16 with SMTP id j16mr311527ibv.42.1268191000641; Tue, 09 Mar 2010 19:16:40 -0800 (PST)
In-Reply-To: <68f4a0e81003091824n5453cf4cp151f313de5fd9c5e@mail.gmail.com>
References: <fd6741651003091550t5a464496r57aae9a60c516599@mail.gmail.com> <74caaad21003091623i8b7c343jc3bb806fe327492d@mail.gmail.com> <12ED1FAC-B9C6-47C1-AC01-AB33D110EF8C@gmail.com> <68f4a0e81003091824n5453cf4cp151f313de5fd9c5e@mail.gmail.com>
Date: Tue, 09 Mar 2010 19:16:40 -0800
Message-ID: <fd6741651003091916o4c3b3a3ao4dc7871ddf7df23b@mail.gmail.com>
From: David Recordon <recordond@gmail.com>
To: Ethan Jewett <esjewett@gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Defining a maximum token length?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Mar 2010 03:17:26 -0000

The challenge is that client developers (who we really want to make
OAuth dead simple for) will be forced to use less optimal storage for
tokens (blobs versus shorter and indexable types such as varchars).
They also won't be able to build any assumptions around token length
into their database design.  Any DBA cringes when they see the blob
type for multiple columns within a table (access token and refresh
token per user).

Some OAuth servers will have short tokens which a client might
integrate with first and decide that a varchar(255) is reasonable to
hold tokens.  They'll then run across a server with longer tokens, not
realize it, and be confused why their client isn't working when it's
due to their database silently truncating tokens after 255 characters.

--David

On Tue, Mar 9, 2010 at 6:24 PM, Ethan Jewett <esjewett@gmail.com> wrote:
> Agreed. I've heard tell of Yahoo access tokens with encoded
> information weighing in at up to 800 characters. I don't see anything
> necessarily wrong with this and I don't think there's much reason to
> limit it in the spec. It could incur a significant bandwidth cost, but
> since the provider is going to shoulder most of this cost the provider
> in a good position to make the tradeoff calculation.
>
> I think it would make sense to advise client library and application
> programmers to provide for the possibility of and storage of large
> tokens. We should probably reference examples of tokens seen in the
> wild and mention the technical limitations on token length from the
> HTTP protocol (with Dick outlines). I'm not sure where in the spec
> this would go, but it sounds like a good thing to include.
>
> Ethan
>
> On Tue, Mar 9, 2010 at 8:14 PM, Dick Hardt <dick.hardt@gmail.com> wrote:
>>
>> On 2010-03-09, at 4:23 PM, Marius Scurtescu wrote:
>>
>>> On Tue, Mar 9, 2010 at 3:50 PM, David Recordon <recordond@gmail.com> wrote:
>>>> Ideally we'd limit the length of access and refresh tokens as well as
>>>> client keys and secrets to no more than 255 characters (a one byte
>>>> varchar in MySQL).
>>>
>>>>  Is this an issue for anyone?
>>>
>>> That being said, I don't see a problem with limiting the lengths.
>>
>> I would not want to limit them anymore than they need to be.
>> When editing OAuth WRAP, we looked into size issues. Current limits are HTTP header size limitations, which are 4-8K total.
>>
>> Given the ability to put all the claims needed into the Access Token, I can see Access Tokens being 1-2K and being really useful.
>>
>> -- Dick
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email