Re: [OAUTH-WG] State Size
Eran Hammer-Lahav <eran@hueniverse.com> Thu, 11 August 2011 20:06 UTC
Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 96FED11E8092 for <oauth@ietfa.amsl.com>; Thu, 11 Aug 2011 13:06:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.557
X-Spam-Level:
X-Spam-Status: No, score=-2.557 tagged_above=-999 required=5 tests=[AWL=0.041, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yGLQb-Bg17PA for <oauth@ietfa.amsl.com>; Thu, 11 Aug 2011 13:06:37 -0700 (PDT)
Received: from p3plex1out01.prod.phx3.secureserver.net (p3plex1out01.prod.phx3.secureserver.net [72.167.180.17]) by ietfa.amsl.com (Postfix) with SMTP id D283F11E8091 for <oauth@ietf.org>; Thu, 11 Aug 2011 13:06:36 -0700 (PDT)
Received: (qmail 12113 invoked from network); 11 Aug 2011 20:06:57 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.19) by p3plex1out01.prod.phx3.secureserver.net with SMTP; 11 Aug 2011 20:06:57 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT001.EX1.SECURESERVER.NET ([72.167.180.19]) with mapi; Thu, 11 Aug 2011 13:06:46 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: Anthony Nadalin <tonynad@microsoft.com>, "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Date: Thu, 11 Aug 2011 13:06:39 -0700
Thread-Topic: [OAUTH-WG] State Size
Thread-Index: AcxYYjLPGfCfQiSgRTGMNgIsAZGXow==
Message-ID: <CA69838C.17CB7%eran@hueniverse.com>
In-Reply-To: <B26C1EF377CB694EAB6BDDC8E624B6E723B89B3C@SN2PRD0302MB137.namprd03.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.12.0.110505
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_CA69838C17CB7eranhueniversecom_"
MIME-Version: 1.0
Subject: Re: [OAUTH-WG] State Size
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Aug 2011 20:06:37 -0000
No objection, but in practice, this isn't very helpful. We can note the general practical boundaries which will warn the server to accept a minimum size. EHL From: Anthony Nadalin <tonynad@microsoft.com<mailto:tonynad@microsoft.com>> Date: Thu, 11 Aug 2011 10:34:26 -0700 To: "OAuth WG (oauth@ietf.org<mailto:oauth@ietf.org>)" <oauth@ietf.org<mailto:oauth@ietf.org>> Subject: [OAUTH-WG] State Size The spec states in multiple places that servers control how big authorization and other codes are so clients can't be sure how much space they will have in URIs. How can anyone design a client that is intended to work with multiple authorization servers if they have no clue how big their state can be? Are they supposed to re-write their state system every time they run into a protected resource that wants to use a bigger auth code then the client has expected them to? We have to give client developers some kind of guidance they can use to let them know what is a 'safe' size for their state so they can successfully implement with all authorization servers. Recommendation is to say something like – “we assume URIs can be at least 2Kb and that the total client provided values (e.g. the base redirect URI plus the state value) are no more than 1K.”
- [OAUTH-WG] State Size Anthony Nadalin
- Re: [OAUTH-WG] State Size Eran Hammer-Lahav