Re: [OAUTH-WG] Defining a maximum token length?
Ethan Jewett <esjewett@gmail.com> Wed, 10 March 2010 02:24 UTC
Return-Path: <esjewett@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AEF0D3A67FE for <oauth@core3.amsl.com>; Tue, 9 Mar 2010 18:24:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EKXg8TnSLimV for <oauth@core3.amsl.com>; Tue, 9 Mar 2010 18:24:58 -0800 (PST)
Received: from mail-pv0-f172.google.com (mail-pv0-f172.google.com [74.125.83.172]) by core3.amsl.com (Postfix) with ESMTP id E00403A6359 for <oauth@ietf.org>; Tue, 9 Mar 2010 18:24:58 -0800 (PST)
Received: by pvg2 with SMTP id 2so2770795pvg.31 for <oauth@ietf.org>; Tue, 09 Mar 2010 18:25:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=UOurH37P5Yl49YFiUFbenV7jHYdq8Mv6+OJML72bxJQ=; b=nEWyQTodncm14DBWYJFr+E55wDg0t8yLMj0cNJR2kqYQ+5DPUZCsHUaxxT44GIRXln MVhnON7fk6RfrYbffSwule/6J6h/THB91JGye7SrE8u0/0AC/rvMGtKfRcYjvnU+wr8A fYyfd5DviI/8v8291KqrYGP3I1Kghe95GiDbA=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=eTzCdheltoIngcAfn6xLIu6Hwf2zSvm9DYZxzuXQ/gJ6kgovaJaVKLXpOgiDHn+vUc ByYPncPE9yA7Sso7ED4Kpq1V4h24Tj2HnpTPKwzA5kf6bXZM3AaG/CJjoPwCfa0c1R+9 cFh/kcjIS4i953oazdUJvcVclxEp9hXnlWWJw=
MIME-Version: 1.0
Received: by 10.141.89.17 with SMTP id r17mr449248rvl.236.1268187899752; Tue, 09 Mar 2010 18:24:59 -0800 (PST)
In-Reply-To: <12ED1FAC-B9C6-47C1-AC01-AB33D110EF8C@gmail.com>
References: <fd6741651003091550t5a464496r57aae9a60c516599@mail.gmail.com> <74caaad21003091623i8b7c343jc3bb806fe327492d@mail.gmail.com> <12ED1FAC-B9C6-47C1-AC01-AB33D110EF8C@gmail.com>
Date: Tue, 09 Mar 2010 21:24:59 -0500
Message-ID: <68f4a0e81003091824n5453cf4cp151f313de5fd9c5e@mail.gmail.com>
From: Ethan Jewett <esjewett@gmail.com>
To: Dick Hardt <dick.hardt@gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Defining a maximum token length?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Mar 2010 02:24:59 -0000
Agreed. I've heard tell of Yahoo access tokens with encoded information weighing in at up to 800 characters. I don't see anything necessarily wrong with this and I don't think there's much reason to limit it in the spec. It could incur a significant bandwidth cost, but since the provider is going to shoulder most of this cost the provider in a good position to make the tradeoff calculation. I think it would make sense to advise client library and application programmers to provide for the possibility of and storage of large tokens. We should probably reference examples of tokens seen in the wild and mention the technical limitations on token length from the HTTP protocol (with Dick outlines). I'm not sure where in the spec this would go, but it sounds like a good thing to include. Ethan On Tue, Mar 9, 2010 at 8:14 PM, Dick Hardt <dick.hardt@gmail.com> wrote: > > On 2010-03-09, at 4:23 PM, Marius Scurtescu wrote: > >> On Tue, Mar 9, 2010 at 3:50 PM, David Recordon <recordond@gmail.com> wrote: >>> Ideally we'd limit the length of access and refresh tokens as well as >>> client keys and secrets to no more than 255 characters (a one byte >>> varchar in MySQL). >> >>> Is this an issue for anyone? >> >> That being said, I don't see a problem with limiting the lengths. > > I would not want to limit them anymore than they need to be. > When editing OAuth WRAP, we looked into size issues. Current limits are HTTP header size limitations, which are 4-8K total. > > Given the ability to put all the claims needed into the Access Token, I can see Access Tokens being 1-2K and being really useful. > > -- Dick > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] Defining a maximum token length? David Recordon
- Re: [OAUTH-WG] Defining a maximum token length? Chuck Mortimore
- Re: [OAUTH-WG] Defining a maximum token length? Marius Scurtescu
- Re: [OAUTH-WG] Defining a maximum token length? David Recordon
- Re: [OAUTH-WG] Defining a maximum token length? Dick Hardt
- Re: [OAUTH-WG] Defining a maximum token length? Ethan Jewett
- Re: [OAUTH-WG] Defining a maximum token length? Dick Hardt
- Re: [OAUTH-WG] Defining a maximum token length? David Recordon
- Re: [OAUTH-WG] Defining a maximum token length? Dick Hardt
- Re: [OAUTH-WG] Defining a maximum token length? Marius Scurtescu
- Re: [OAUTH-WG] Defining a maximum token length? David Recordon
- Re: [OAUTH-WG] Defining a maximum token length? Dick Hardt
- Re: [OAUTH-WG] Defining a maximum token length? Torsten Lodderstedt
- Re: [OAUTH-WG] Defining a maximum token length? Luke Shepard
- Re: [OAUTH-WG] Defining a maximum token length? Brian Eaton
- Re: [OAUTH-WG] Defining a maximum token length? Torsten Lodderstedt
- Re: [OAUTH-WG] Defining a maximum token length? David Waite
- Re: [OAUTH-WG] Defining a maximum token length? Luke Shepard
- Re: [OAUTH-WG] Defining a maximum token length? Brian Eaton
- Re: [OAUTH-WG] Defining a maximum token length? Justin Smith
- Re: [OAUTH-WG] Defining a maximum token length? John Kemp
- Re: [OAUTH-WG] Defining a maximum token length? Moritz Maisel
- Re: [OAUTH-WG] Defining a maximum token length? John Kemp
- Re: [OAUTH-WG] Defining a maximum token length? Paul Lindner
- Re: [OAUTH-WG] Defining a maximum token length? John Kemp
- Re: [OAUTH-WG] Defining a maximum token length? Paul Lindner
- Re: [OAUTH-WG] Defining a maximum token length? jbemmel
- Re: [OAUTH-WG] Defining a maximum token length? Marius Scurtescu
- Re: [OAUTH-WG] Defining a maximum token length? Luke Shepard
- Re: [OAUTH-WG] Defining a maximum token length? Brian Eaton
- Re: [OAUTH-WG] Defining a maximum token length? Anthony Nadalin
- Re: [OAUTH-WG] Defining a maximum token length? Allen Tom
- Re: [OAUTH-WG] Defining a maximum token length? Eran Hammer-Lahav
- Re: [OAUTH-WG] Defining a maximum token length? Torsten Lodderstedt
- Re: [OAUTH-WG] Defining a maximum token length? Torsten Lodderstedt
- Re: [OAUTH-WG] Defining a maximum token length? John Kemp
- Re: [OAUTH-WG] Defining a maximum token length? Naitik Shah
- Re: [OAUTH-WG] Defining a maximum token length? Anthony Nadalin
- Re: [OAUTH-WG] Defining a maximum token length? Eliot Lear
- Re: [OAUTH-WG] Defining a maximum token length? Allen Tom
- Re: [OAUTH-WG] Defining a maximum token length? Eran Hammer-Lahav
- Re: [OAUTH-WG] Defining a maximum token length? Luke Shepard