IETF Logo Mail Archive

Re: [OAUTH-WG] Defining a maximum token length?

Chuck Mortimore <cmortimore@salesforce.com> Tue, 09 March 2010 23:57 UTC

Return-Path: <cmortimore@salesforce.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1AFC13A6ABC for <oauth@core3.amsl.com>; Tue, 9 Mar 2010 15:57:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.598
X-Spam-Level:
X-Spam-Status: No, score=-6.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MaZnRzL-qaWz for <oauth@core3.amsl.com>; Tue, 9 Mar 2010 15:57:58 -0800 (PST)
Received: from exprod8og117.obsmtp.com (exprod8og117.obsmtp.com [64.18.3.34]) by core3.amsl.com (Postfix) with SMTP id 0F1233A679C for <oauth@ietf.org>; Tue, 9 Mar 2010 15:57:57 -0800 (PST)
Received: from source ([204.14.239.239]) by exprod8ob117.postini.com ([64.18.7.12]) with SMTP ID DSNKS5bgitdU+4sa/ClkEfDBX0SXuXO86OhM@postini.com; Tue, 09 Mar 2010 15:58:03 PST
Received: from EXSFM-MB01.internal.salesforce.com ([10.1.127.45]) by exsfm-hub4.internal.salesforce.com ([10.1.127.8]) with mapi; Tue, 9 Mar 2010 15:58:01 -0800
From: Chuck Mortimore <cmortimore@salesforce.com>
To: David Recordon <recordond@gmail.com>, OAuth WG <oauth@ietf.org>
Date: Tue, 09 Mar 2010 15:57:59 -0800
Thread-Topic: [OAUTH-WG] Defining a maximum token length?
Thread-Index: Acq/41SWNbISOF+HQruQKWExvbmxlgAAQPNn
Message-ID: <C7BC2087.2032%cmortimore@salesforce.com>
In-Reply-To: <fd6741651003091550t5a464496r57aae9a60c516599@mail.gmail.com>
Accept-Language: en-US
Content-Language: en
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_C7BC20872032cmortimoresalesforcecom_"
MIME-Version: 1.0
Subject: Re: [OAUTH-WG] Defining a maximum token length?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Mar 2010 23:57:59 -0000

No issue, and there is certainly precedent. SAML 2.0 specifies the following about persistent name identifiers, which would be similar is use and formfactor:

Persistent name identifier values MUST NOT exceed a length of 256 characters

-cmort


On 3/9/10 3:50 PM, "David Recordon" <recordond@gmail.com> wrote:

Ideally we'd limit the length of access and refresh tokens as well as
client keys and secrets to no more than 255 characters (a one byte
varchar in MySQL).  Is this an issue for anyone?

The OAuth 1.0 protocol specifically states:
Clients should avoid making assumptions about the size of tokens and
other server-generated values, which are left undefined by this
specification.

That seems like a poor idea when it comes to implementability of the
technology.  Why did OAuth 1.0 make that decision?

--David
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email