IETF Logo Mail Archive

Re: [OAUTH-WG] Defining a maximum token length?

Luke Shepard <lshepard@facebook.com> Wed, 10 March 2010 05:12 UTC

Return-Path: <lshepard@facebook.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C223A3A6B32 for <oauth@core3.amsl.com>; Tue, 9 Mar 2010 21:12:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.265
X-Spam-Level:
X-Spam-Status: No, score=-4.265 tagged_above=-999 required=5 tests=[AWL=1.000, BAYES_00=-2.599, GB_I_LETTER=-2, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dP41RmyOHtgc for <oauth@core3.amsl.com>; Tue, 9 Mar 2010 21:12:01 -0800 (PST)
Received: from mailout-sf2p.facebook.com (mailout-snc1.facebook.com [69.63.179.25]) by core3.amsl.com (Postfix) with ESMTP id 33E1C3A6900 for <oauth@ietf.org>; Tue, 9 Mar 2010 21:12:01 -0800 (PST)
Received: from mail.thefacebook.com ([192.168.18.105]) by pp02.snc1.tfbnw.net (8.14.3/8.14.3) with ESMTP id o2A5BUtJ031855 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT); Tue, 9 Mar 2010 21:11:33 -0800
Received: from SC-MBXC1.TheFacebook.com ([192.168.18.102]) by sc-hub02.TheFacebook.com ([192.168.18.105]) with mapi; Tue, 9 Mar 2010 21:10:18 -0800
From: Luke Shepard <lshepard@facebook.com>
To: Dick Hardt <dick.hardt@gmail.com>
Date: Tue, 09 Mar 2010 21:10:16 -0800
Thread-Topic: [OAUTH-WG] Defining a maximum token length?
Thread-Index: AcrAD/mFQ+wEjtkaS3ClUQ4i/A+WDw==
Message-ID: <2F0FF21C-3D58-4F90-BDAC-EBAC89CCA9E9@facebook.com>
References: <fd6741651003091550t5a464496r57aae9a60c516599@mail.gmail.com> <74caaad21003091623i8b7c343jc3bb806fe327492d@mail.gmail.com> <12ED1FAC-B9C6-47C1-AC01-AB33D110EF8C@gmail.com> <68f4a0e81003091824n5453cf4cp151f313de5fd9c5e@mail.gmail.com> <fd6741651003091916o4c3b3a3ao4dc7871ddf7df23b@mail.gmail.com> <74caaad21003091925x7aeac395uac5ad816c543771e@mail.gmail.com> <fd6741651003091950w682db38ct257caf2dfc8e5855@mail.gmail.com> <9FC57A38-0331-4A9E-B8F2-50BF79D348B0@gmail.com>
In-Reply-To: <9FC57A38-0331-4A9E-B8F2-50BF79D348B0@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=1.12.8161:2.4.5, 1.2.40, 4.0.166 definitions=2010-03-10_04:2010-02-06, 2010-03-10, 2010-03-09 signatures=0
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Defining a maximum token length?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Mar 2010 05:12:03 -0000

Whoa- are we seriously saying we need more than 255 characters to encode a token? (By the way, that's 10^396 combinations, with letters and numbers.)

Having short tokens makes the whole protocol much simpler, more approachable, easy to use for developers. I will push hard to keep them short and sweet.

For example, here's what would be needed in a naive, stateless Facebook access token:
 - 32-char api_key (client identifier)
 - 42-char session key
 - 20-char user id (max)
 - 20-char signature

All that comes to 114 characters max, which I still consider to be way too long. With a few additional optimizations (cut the signature length, base convert the app ID), it becomes closer to 70 characters, and I haven't even started trying to compress it or anything yet.

Here's what that URL would look like:

	http://example.com/oauth_endpoint?wrap_access_token=2m2zpk2w|2.5ybrE_bzYCp6A7_pK5PDVA__.3600.1268200800-2901279|aCe23FSrNM.

For comparison, here's a URL with a 255-character access token:

	http://example.com/oauth_endpoint?9295730172112|2.5ybrE_bzYCp6A7_pK5PDVA__.3600.1268200800-2901279|zpssaSxclo9eWs7Jw1Hga3FSrN9295730172112|2.5ybrE_bzYCp6A7_pK5PDVA__.3600.1268200800-2901279|zpssaSxclo9eWs7Jw1Hga3FSrNM9295730172112|2.5ybrE_bzYCp6A7_pK5PDVA__.3600.1268200800-2901279|zpcloMM'

Isn't that ugly? At least in my email window, the first URL fits on one line while the other stretches to three. This is starting to remind me of some OpenID URLs I've seen.

Torsten just replied:

>  So access token would 
> contain the following data: User Id, Consumer id, context(s), validity, 
> authentication methods, user attributes, user permissions, digital 
> signature, token id ... length would vary between 200 and 700 Bytes.


Can you give a representative example of that? I find it hard to believe that even all of those attributes couldn't fit into a much shorter token, if smartly sized.

Thanks,
Luke

v2.23.0 | Report a Bug | By Email