IETF Logo Mail Archive

Re: [OAUTH-WG] Defining a maximum token length?

Luke Shepard <lshepard@facebook.com> Wed, 10 March 2010 07:02 UTC

Return-Path: <lshepard@facebook.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 103443A6AEF for <oauth@core3.amsl.com>; Tue, 9 Mar 2010 23:02:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.765
X-Spam-Level:
X-Spam-Status: No, score=-3.765 tagged_above=-999 required=5 tests=[AWL=-0.500, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 93+kHitgOWzp for <oauth@core3.amsl.com>; Tue, 9 Mar 2010 23:02:02 -0800 (PST)
Received: from mailout-snc1.facebook.com (mailout-snc1.facebook.com [69.63.179.25]) by core3.amsl.com (Postfix) with ESMTP id E74183A6A58 for <oauth@ietf.org>; Tue, 9 Mar 2010 23:02:01 -0800 (PST)
Received: from mail.thefacebook.com ([192.168.18.104]) by pp01.snc1.tfbnw.net (8.14.3/8.14.3) with ESMTP id o2A71liK020221 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT); Tue, 9 Mar 2010 23:01:47 -0800
Received: from SC-MBXC1.TheFacebook.com ([192.168.18.102]) by sc-hub01.TheFacebook.com ([192.168.18.104]) with mapi; Tue, 9 Mar 2010 23:02:02 -0800
From: Luke Shepard <lshepard@facebook.com>
To: David Waite <david@alkaline-solutions.com>
Date: Tue, 09 Mar 2010 23:02:00 -0800
Thread-Topic: [OAUTH-WG] Defining a maximum token length?
Thread-Index: AcrAH5VXMRwODTuwQkio/wMF6QVE1w==
Message-ID: <D3BC6FD4-0530-4677-91C8-8B060C5DCEE3@facebook.com>
References: <fd6741651003091550t5a464496r57aae9a60c516599@mail.gmail.com> <74caaad21003091623i8b7c343jc3bb806fe327492d@mail.gmail.com> <12ED1FAC-B9C6-47C1-AC01-AB33D110EF8C@gmail.com> <68f4a0e81003091824n5453cf4cp151f313de5fd9c5e@mail.gmail.com> <fd6741651003091916o4c3b3a3ao4dc7871ddf7df23b@mail.gmail.com> <C39B5264-75E2-456A-ABB7-D1530660BA99@alkaline-solutions.com>
In-Reply-To: <C39B5264-75E2-456A-ABB7-D1530660BA99@alkaline-solutions.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=1.12.8161:2.4.5, 1.2.40, 4.0.166 definitions=2010-03-10_04:2010-02-06, 2010-03-10, 2010-03-09 signatures=0
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Defining a maximum token length?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Mar 2010 07:02:04 -0000

I'd still like to see someone construct an example access token that is longer than 255 characters that would be reasonably used. If there are real, legitimate use cases that REQUIRE more than that many characters, then let's hear them. I don't think that appealing to "it might be useful" is a good enough argument.

>  nearly an order of magnitude smaller than a URL

I'd hope so, given that it is supposed to be a single URL parameter, and it has to share that URL length with other parameters to actual API calls.

> I don't believe all of these are formalized, but they all exist.

The lack of formalized URL length limits has been a headache for us, since we end up testing each browser and coding to the most restrictive. I'd like to avoid the need for OAuth clients to do the same.

On Mar 9, 2010, at 10:33 PM, David Waite wrote:

> On Mar 9, 2010, at 8:16 PM, David Recordon wrote:
> 
>> The challenge is that client developers (who we really want to make
>> OAuth dead simple for) will be forced to use less optimal storage for
>> tokens (blobs versus shorter and indexable types such as varchars).
>> They also won't be able to build any assumptions around token length
>> into their database design.  Any DBA cringes when they see the blob
>> type for multiple columns within a table (access token and refresh
>> token per user).
> 
> To throw another opinion on the fire - access tokens shouldn't be required to be over an order of magnitude smaller than browser cookies or HTTP headers, and nearly an order of magnitude smaller than a URL. In fact, 256 characters is only barely long enough to hold the longest allowed domain name.
> 
> To parallel browser cookies, HTTP headers and URLs, there are accepted 'minimum maximums' out there - which the minimum size that user agents are expected to support, and the maximum size the server will assume be supported by an arbitrary agent. I don't believe all of these are formalized, but they all exist.
> 
>> Some OAuth servers will have short tokens which a client might
>> integrate with first and decide that a varchar(255) is reasonable to
>> hold tokens.  They'll then run across a server with longer tokens, not
>> realize it, and be confused why their client isn't working when it's
>> due to their database silently truncating tokens after 255 characters.
> 
> Sounds like they should consider picking a different database vendor.
> 
> -DW
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email