IETF Logo Mail Archive

Re: [OAUTH-WG] Defining a maximum token length?

Eliot Lear <lear@cisco.com> Mon, 12 April 2010 11:39 UTC

Return-Path: <lear@cisco.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C59CF3A67E2 for <oauth@core3.amsl.com>; Mon, 12 Apr 2010 04:39:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.391
X-Spam-Level:
X-Spam-Status: No, score=-5.391 tagged_above=-999 required=5 tests=[AWL=5.207, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kpHHAy9ZtXZW for <oauth@core3.amsl.com>; Mon, 12 Apr 2010 04:39:32 -0700 (PDT)
Received: from ams-iport-1.cisco.com (ams-iport-1.cisco.com [144.254.224.140]) by core3.amsl.com (Postfix) with ESMTP id A31AD3A67C0 for <oauth@ietf.org>; Mon, 12 Apr 2010 04:39:31 -0700 (PDT)
Authentication-Results: ams-iport-1.cisco.com; dkim=neutral (message not signed) header.i=none
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AvUBAKqjwkuQ/uCWe2dsb2JhbACBPoFVmB8VAQELCyIGHKEViE2PaYQebgQ
X-IronPort-AV: E=Sophos; i="4.52,190,1270425600"; d="scan'208,217"; a="59278831"
Received: from ams-core-1.cisco.com ([144.254.224.150]) by ams-iport-1.cisco.com with ESMTP; 12 Apr 2010 11:39:25 +0000
Received: from dhcp-10-61-102-206.cisco.com (dhcp-10-61-102-206.cisco.com [10.61.102.206]) by ams-core-1.cisco.com (8.13.8/8.14.3) with ESMTP id o3CBdOqD002350; Mon, 12 Apr 2010 11:39:24 GMT
Message-ID: <4BC3066F.8080607@cisco.com>
Date: Mon, 12 Apr 2010 13:39:27 +0200
From: Eliot Lear <lear@cisco.com>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.4pre) Gecko/20100411 Lanikai/3.1b2pre
MIME-Version: 1.0
To: Anthony Nadalin <tonynad@microsoft.com>
References: <C7E557A0.32014%eran@hueniverse.com> <4BC02133.70209@lodderstedt.net> <A08279DC79B11C48AD587060CD93977125EFFC84@TK5EX14MBXC103.redmond.corp.microsoft.com>
In-Reply-To: <A08279DC79B11C48AD587060CD93977125EFFC84@TK5EX14MBXC103.redmond.corp.microsoft.com>
Content-Type: multipart/alternative; boundary="------------080605030504060104020407"
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Defining a maximum token length?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Apr 2010 11:39:33 -0000

  Is there some other natural parameter limit in place from HTTP?

Eliot

On 4/12/10 11:23 AM, Anthony Nadalin wrote:
>
> +1
>
> *From:* oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] *On 
> Behalf Of *Torsten Lodderstedt
> *Sent:* Friday, April 09, 2010 11:57 PM
> *To:* Eran Hammer-Lahav
> *Cc:* OAuth WG
> *Subject:* Re: [OAUTH-WG] Defining a maximum token length?
>
> +1 no restriction, please
>
> 256 is much too short
>
> Am 10.04.2010 07:16, schrieb Eran Hammer-Lahav:
>
> I would argue that for the spec to provide a token size limit that is 
> greater than 255 would cause more harm than good. This is not to say I 
> am supporting the 255 limit (I take no position on the matter – yeah, 
> that happens rarely). If the spec provided a 4K limit, client 
> libraries are likely to codify that which will make them extremely 
> wasteful for 99% of the popular cases on the web today. A 4K limit 
> doesn’t really improve interop since the limit is so high, no one is 
> likely to issue even bigger tokens with public APIs.
>
> The 255 limit keeps the token size within the most effective database 
> field size limit for this type of identifier. If we cannot reach 
> consensus on this size limit, I don’t think the spec should say 
> anything. However, if I wrote a client library, I would make it use a 
> 255 default size limit and require a custom configuration to enable it 
> to use something else.
>
> So my proposal is 255 or no size guidance/restriction.
>
> EHL
>
>
> On 4/9/10 4:49 PM, "Allen Tom" <atom@yahoo-inc.com> wrote:
>
> I think a good precedent would be to use the HTTP Cookie size limit, which
> is 4KB.
>
> An OAuth Access Token is like an HTTP Authorization cookie. They're both
> bearer tokens that are used as a credentials for a client to access
> protected resources on behalf of the end user.
>
> All Oauth clients have to implement HTTP anyway, so 4KB sounds like a
> reasonable limit.
>
> Allen
>
>
>
> > On Fri, Apr 9, 2010 at 3:14 AM, Luke Shepard <lshepard@facebook.com> 
> wrote:
>
> >>
> >> So, what is a reasonable limit for the token length?  1k? 2k? 4k? 5mb? I
> >> suggest some language like this:
> >>
> >>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>   
>   
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org  <mailto:OAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/oauth
>    
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email