IETF Logo Mail Archive

Re: [OAUTH-WG] Defining a maximum token length?

Brian Eaton <beaton@google.com> Fri, 09 April 2010 19:12 UTC

Return-Path: <beaton@google.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 941AD3A69A6 for <oauth@core3.amsl.com>; Fri, 9 Apr 2010 12:12:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.977
X-Spam-Level:
X-Spam-Status: No, score=-105.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bJ70hD2DSHSl for <oauth@core3.amsl.com>; Fri, 9 Apr 2010 12:12:36 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [216.239.44.51]) by core3.amsl.com (Postfix) with ESMTP id 1A13A3A697D for <oauth@ietf.org>; Fri, 9 Apr 2010 12:12:25 -0700 (PDT)
Received: from wpaz37.hot.corp.google.com (wpaz37.hot.corp.google.com [172.24.198.101]) by smtp-out.google.com with ESMTP id o39JCIP5017205 for <oauth@ietf.org>; Fri, 9 Apr 2010 12:12:19 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1270840339; bh=EJa7hau6Mjsh0Z0tc5MQdLBCcjc=; h=MIME-Version:In-Reply-To:References:Date:Message-ID:Subject:From: To:Cc:Content-Type:Content-Transfer-Encoding; b=J5qnd/g/zY68efPjAcR85SiVKcI+VooS2qEoiFKqqnGgsOO4AGNzVnInp+zosT9dx E49+usXG2kPehJfKSd40w==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=mime-version:in-reply-to:references:date:message-id:subject:from:to: cc:content-type:content-transfer-encoding:x-system-of-record; b=aoG8JC9ovhLFwdphksntWvp2aG1xVEUj5X1JD756qQP2yks05NH/fDGHQ1+wyRWzH oAL+qhrdWQeUxKbu9Krjw==
Received: from vws4 (vws4.prod.google.com [10.241.21.132]) by wpaz37.hot.corp.google.com with ESMTP id o39JCHxa005310 for <oauth@ietf.org>; Fri, 9 Apr 2010 12:12:17 -0700
Received: by vws4 with SMTP id 4so445539vws.3 for <oauth@ietf.org>; Fri, 09 Apr 2010 12:12:17 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.220.124.2 with HTTP; Fri, 9 Apr 2010 12:12:16 -0700 (PDT)
In-Reply-To: <2513A610118CC14C8E622C376C8DEC93D54D66D95B@SC-MBXC1.TheFacebook.com>
References: <fd6741651003091550t5a464496r57aae9a60c516599@mail.gmail.com> <2513A610118CC14C8E622C376C8DEC93D54D66D95B@SC-MBXC1.TheFacebook.com>
Date: Fri, 09 Apr 2010 12:12:16 -0700
Received: by 10.220.121.148 with SMTP id h20mr294452vcr.134.1270840336916; Fri, 09 Apr 2010 12:12:16 -0700 (PDT)
Message-ID: <p2ldaf5b9571004091212zb1693ed1g2dd592f27b996538@mail.gmail.com>
From: Brian Eaton <beaton@google.com>
To: Luke Shepard <lshepard@facebook.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
X-System-Of-Record: true
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Defining a maximum token length?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Apr 2010 19:12:38 -0000

On Fri, Apr 9, 2010 at 3:14 AM, Luke Shepard <lshepard@facebook.com> wrote:
> Let's finish off the thread on token length limits.
>
> In summary, David Recordon proposed a length limit of 255 characters due to database length limits ("blobs versus shorter and indexable types such as varchars"). Several people were opposed to the 255 length limit. However, there was general favor of a limit, but just it should be a bit longer.
>
> So, what is a reasonable limit for the token length?  1k? 2k? 4k? 5mb? I suggest some language like this:
>
>        Access tokens MUST be less than 2KB.
<snip>
> - SAML (http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf)
>  "Persistent name identifier values MUST NOT exceed a length of 256 characters."

Note that access tokens are more like SAML assertions (which have no
size limits) than persistent name identifiers.  Persistent name
identifiers are basically user ids.

Anyone who is using access tokens in web delegation flows is going to
need to be careful of size limits.

But there are a bunch of use cases for access tokens outside of those flows.

So would it make sense to give size recommendations based on the
profile being used?

Cheers,
Brian

v2.23.0 | Report a Bug | By Email