Re: [OAUTH-WG] Defining a maximum token length?
Eliot Lear <lear@cisco.com> Mon, 12 April 2010 11:39 UTC
Return-Path: <lear@cisco.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C59CF3A67E2 for <oauth@core3.amsl.com>; Mon, 12 Apr 2010 04:39:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.391
X-Spam-Level:
X-Spam-Status: No, score=-5.391 tagged_above=-999 required=5 tests=[AWL=5.207, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kpHHAy9ZtXZW for <oauth@core3.amsl.com>; Mon, 12 Apr 2010 04:39:32 -0700 (PDT)
Received: from ams-iport-1.cisco.com (ams-iport-1.cisco.com [144.254.224.140]) by core3.amsl.com (Postfix) with ESMTP id A31AD3A67C0 for <oauth@ietf.org>; Mon, 12 Apr 2010 04:39:31 -0700 (PDT)
Authentication-Results: ams-iport-1.cisco.com; dkim=neutral (message not signed) header.i=none
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AvUBAKqjwkuQ/uCWe2dsb2JhbACBPoFVmB8VAQELCyIGHKEViE2PaYQebgQ
X-IronPort-AV: E=Sophos; i="4.52,190,1270425600"; d="scan'208,217"; a="59278831"
Received: from ams-core-1.cisco.com ([144.254.224.150]) by ams-iport-1.cisco.com with ESMTP; 12 Apr 2010 11:39:25 +0000
Received: from dhcp-10-61-102-206.cisco.com (dhcp-10-61-102-206.cisco.com [10.61.102.206]) by ams-core-1.cisco.com (8.13.8/8.14.3) with ESMTP id o3CBdOqD002350; Mon, 12 Apr 2010 11:39:24 GMT
Message-ID: <4BC3066F.8080607@cisco.com>
Date: Mon, 12 Apr 2010 13:39:27 +0200
From: Eliot Lear <lear@cisco.com>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.4pre) Gecko/20100411 Lanikai/3.1b2pre
MIME-Version: 1.0
To: Anthony Nadalin <tonynad@microsoft.com>
References: <C7E557A0.32014%eran@hueniverse.com> <4BC02133.70209@lodderstedt.net> <A08279DC79B11C48AD587060CD93977125EFFC84@TK5EX14MBXC103.redmond.corp.microsoft.com>
In-Reply-To: <A08279DC79B11C48AD587060CD93977125EFFC84@TK5EX14MBXC103.redmond.corp.microsoft.com>
Content-Type: multipart/alternative; boundary="------------080605030504060104020407"
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Defining a maximum token length?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Apr 2010 11:39:33 -0000
Is there some other natural parameter limit in place from HTTP? Eliot On 4/12/10 11:23 AM, Anthony Nadalin wrote: > > +1 > > *From:* oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] *On > Behalf Of *Torsten Lodderstedt > *Sent:* Friday, April 09, 2010 11:57 PM > *To:* Eran Hammer-Lahav > *Cc:* OAuth WG > *Subject:* Re: [OAUTH-WG] Defining a maximum token length? > > +1 no restriction, please > > 256 is much too short > > Am 10.04.2010 07:16, schrieb Eran Hammer-Lahav: > > I would argue that for the spec to provide a token size limit that is > greater than 255 would cause more harm than good. This is not to say I > am supporting the 255 limit (I take no position on the matter – yeah, > that happens rarely). If the spec provided a 4K limit, client > libraries are likely to codify that which will make them extremely > wasteful for 99% of the popular cases on the web today. A 4K limit > doesn’t really improve interop since the limit is so high, no one is > likely to issue even bigger tokens with public APIs. > > The 255 limit keeps the token size within the most effective database > field size limit for this type of identifier. If we cannot reach > consensus on this size limit, I don’t think the spec should say > anything. However, if I wrote a client library, I would make it use a > 255 default size limit and require a custom configuration to enable it > to use something else. > > So my proposal is 255 or no size guidance/restriction. > > EHL > > > On 4/9/10 4:49 PM, "Allen Tom" <atom@yahoo-inc.com> wrote: > > I think a good precedent would be to use the HTTP Cookie size limit, which > is 4KB. > > An OAuth Access Token is like an HTTP Authorization cookie. They're both > bearer tokens that are used as a credentials for a client to access > protected resources on behalf of the end user. > > All Oauth clients have to implement HTTP anyway, so 4KB sounds like a > reasonable limit. > > Allen > > > > > On Fri, Apr 9, 2010 at 3:14 AM, Luke Shepard <lshepard@facebook.com> > wrote: > > >> > >> So, what is a reasonable limit for the token length? 1k? 2k? 4k? 5mb? I > >> suggest some language like this: > >> > >> > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Defining a maximum token length? David Recordon
- Re: [OAUTH-WG] Defining a maximum token length? Chuck Mortimore
- Re: [OAUTH-WG] Defining a maximum token length? Marius Scurtescu
- Re: [OAUTH-WG] Defining a maximum token length? David Recordon
- Re: [OAUTH-WG] Defining a maximum token length? Dick Hardt
- Re: [OAUTH-WG] Defining a maximum token length? Ethan Jewett
- Re: [OAUTH-WG] Defining a maximum token length? Dick Hardt
- Re: [OAUTH-WG] Defining a maximum token length? David Recordon
- Re: [OAUTH-WG] Defining a maximum token length? Dick Hardt
- Re: [OAUTH-WG] Defining a maximum token length? Marius Scurtescu
- Re: [OAUTH-WG] Defining a maximum token length? David Recordon
- Re: [OAUTH-WG] Defining a maximum token length? Dick Hardt
- Re: [OAUTH-WG] Defining a maximum token length? Torsten Lodderstedt
- Re: [OAUTH-WG] Defining a maximum token length? Luke Shepard
- Re: [OAUTH-WG] Defining a maximum token length? Brian Eaton
- Re: [OAUTH-WG] Defining a maximum token length? Torsten Lodderstedt
- Re: [OAUTH-WG] Defining a maximum token length? David Waite
- Re: [OAUTH-WG] Defining a maximum token length? Luke Shepard
- Re: [OAUTH-WG] Defining a maximum token length? Brian Eaton
- Re: [OAUTH-WG] Defining a maximum token length? Justin Smith
- Re: [OAUTH-WG] Defining a maximum token length? John Kemp
- Re: [OAUTH-WG] Defining a maximum token length? Moritz Maisel
- Re: [OAUTH-WG] Defining a maximum token length? John Kemp
- Re: [OAUTH-WG] Defining a maximum token length? Paul Lindner
- Re: [OAUTH-WG] Defining a maximum token length? John Kemp
- Re: [OAUTH-WG] Defining a maximum token length? Paul Lindner
- Re: [OAUTH-WG] Defining a maximum token length? jbemmel
- Re: [OAUTH-WG] Defining a maximum token length? Marius Scurtescu
- Re: [OAUTH-WG] Defining a maximum token length? Luke Shepard
- Re: [OAUTH-WG] Defining a maximum token length? Brian Eaton
- Re: [OAUTH-WG] Defining a maximum token length? Anthony Nadalin
- Re: [OAUTH-WG] Defining a maximum token length? Allen Tom
- Re: [OAUTH-WG] Defining a maximum token length? Eran Hammer-Lahav
- Re: [OAUTH-WG] Defining a maximum token length? Torsten Lodderstedt
- Re: [OAUTH-WG] Defining a maximum token length? Torsten Lodderstedt
- Re: [OAUTH-WG] Defining a maximum token length? John Kemp
- Re: [OAUTH-WG] Defining a maximum token length? Naitik Shah
- Re: [OAUTH-WG] Defining a maximum token length? Anthony Nadalin
- Re: [OAUTH-WG] Defining a maximum token length? Eliot Lear
- Re: [OAUTH-WG] Defining a maximum token length? Allen Tom
- Re: [OAUTH-WG] Defining a maximum token length? Eran Hammer-Lahav
- Re: [OAUTH-WG] Defining a maximum token length? Luke Shepard