IETF Logo Mail Archive

Re: [OAUTH-WG] Defining a maximum token length?

John Kemp <john@jkemp.net> Wed, 10 March 2010 15:42 UTC

Return-Path: <john@jkemp.net>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6E9A43A6AD8 for <oauth@core3.amsl.com>; Wed, 10 Mar 2010 07:42:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.265
X-Spam-Level:
X-Spam-Status: No, score=-2.265 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Rv2upV6WhwLH for <oauth@core3.amsl.com>; Wed, 10 Mar 2010 07:42:00 -0800 (PST)
Received: from outbound-mail-01.bluehost.com (outbound-mail-01.bluehost.com [69.89.21.11]) by core3.amsl.com (Postfix) with SMTP id C7C063A6A2D for <oauth@ietf.org>; Wed, 10 Mar 2010 07:41:59 -0800 (PST)
Received: (qmail 32599 invoked by uid 0); 10 Mar 2010 15:42:04 -0000
Received: from unknown (HELO box320.bluehost.com) (69.89.31.120) by cpoproxy1.bluehost.com with SMTP; 10 Mar 2010 15:42:04 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=jkemp.net; h=Received:Subject:Mime-Version:Content-Type:From:In-Reply-To:Date:Cc:Content-Transfer-Encoding:Message-Id:References:To:X-Mailer:X-Identified-User; b=07Q/2VELHA1URYfDFwW5kvnbXqycGRJhwe9kmrqQDDtsFNPiZeqg473ItfJqMrLbm2j5DZcbXKYB3CyjbrqAsMrhMfQ40SIN+/KHeFNYdD4555J1mSizRR5GrnPowMjW;
Received: from c-75-69-14-217.hsd1.vt.comcast.net ([75.69.14.217] helo=[192.168.0.61]) by box320.bluehost.com with esmtpa (Exim 4.69) (envelope-from <john@jkemp.net>) id 1NpO2u-0001pB-KZ; Wed, 10 Mar 2010 08:42:04 -0700
Mime-Version: 1.0 (Apple Message framework v1077)
Content-Type: text/plain; charset="us-ascii"
From: John Kemp <john@jkemp.net>
In-Reply-To: <fd6741651003091550t5a464496r57aae9a60c516599@mail.gmail.com>
Date: Wed, 10 Mar 2010 10:42:03 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <0EC5832F-DE91-437F-96FE-87638A2BCF16@jkemp.net>
References: <fd6741651003091550t5a464496r57aae9a60c516599@mail.gmail.com>
To: David Recordon <recordond@gmail.com>
X-Mailer: Apple Mail (2.1077)
X-Identified-User: {1122:box320.bluehost.com:jkempnet:jkemp.net} {sentby:smtp auth 75.69.14.217 authed with john+jkemp.net}
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Defining a maximum token length?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Mar 2010 15:42:01 -0000

On Mar 9, 2010, at 6:50 PM, David Recordon wrote:

> Ideally we'd limit the length of access and refresh tokens as well as
> client keys and secrets to no more than 255 characters (a one byte
> varchar in MySQL).  Is this an issue for anyone?

Yes. 

Why would we want to encode such a specific implementation decision into the OAuth standard (where I'm sure there are lots of folks who don't use MySQL to log tokens)?

> The OAuth 1.0 protocol specifically states:
> Clients should avoid making assumptions about the size of tokens and
> other server-generated values, which are left undefined by this
> specification.
> 
> That seems like a poor idea when it comes to implementability of the
> technology.

Can you explain why this is a poor idea? 

It seems to me that such a statement leaves it open to implementations to create tokens that make sense for their usage and which work with their clients and partners. 

>  Why did OAuth 1.0 make that decision?

One reason I can imagine is to make it possible to encode information into the token itself so that the token can be "self-contained" (mentioned also by others on this list). 

A good reason to limit token length would be if there were issues in the client implementation which meant that tokens might get truncated by particular implementations - but I would guess that these would again be implementation-specific, and not something which should be standardized generally. 

Regards,

- johnk

v2.23.0 | Report a Bug | By Email