Re: [OAUTH-WG] Defining a maximum token length?
Allen Tom <atom@yahoo-inc.com> Mon, 12 April 2010 16:39 UTC
Return-Path: <atom@yahoo-inc.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8718A28C18A for <oauth@core3.amsl.com>; Mon, 12 Apr 2010 09:39:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.695
X-Spam-Level:
X-Spam-Status: No, score=-15.695 tagged_above=-999 required=5 tests=[AWL=0.173, BAYES_00=-2.599, HTML_MESSAGE=0.001, IP_NOT_FRIENDLY=0.334, MIME_QP_LONG_LINE=1.396, USER_IN_DEF_WHITELIST=-15]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HEQ-rJzrRWi1 for <oauth@core3.amsl.com>; Mon, 12 Apr 2010 09:38:54 -0700 (PDT)
Received: from mrout2-b.corp.re1.yahoo.com (mrout2-b.corp.re1.yahoo.com [69.147.107.21]) by core3.amsl.com (Postfix) with ESMTP id DB91528C144 for <oauth@ietf.org>; Mon, 12 Apr 2010 09:36:01 -0700 (PDT)
Received: from SNV-EXPF01.ds.corp.yahoo.com (snv-expf01.ds.corp.yahoo.com [207.126.227.250]) by mrout2-b.corp.re1.yahoo.com (8.13.8/8.13.8/y.out) with ESMTP id o3CGXxUT045460; Mon, 12 Apr 2010 09:34:00 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; s=serpent; d=yahoo-inc.com; c=nofws; q=dns; h=received:user-agent:date:subject:from:to:cc:message-id: thread-topic:thread-index:in-reply-to:mime-version:content-type:x-originalarrivaltime; b=PNn72rY6ZkJ8bRMPZfsFjmkUPcRPCrmby16ttIGGNPv36QlHN8aiiCcerydWpn5x
Received: from SNV-EXVS03.ds.corp.yahoo.com ([207.126.227.235]) by SNV-EXPF01.ds.corp.yahoo.com with Microsoft SMTPSVC(6.0.3790.3959); Mon, 12 Apr 2010 09:33:59 -0700
Received: from 10.73.152.139 ([10.73.152.139]) by SNV-EXVS03.ds.corp.yahoo.com ([207.126.227.239]) via Exchange Front-End Server snv-webmail.corp.yahoo.com ([207.126.227.60]) with Microsoft Exchange Server HTTP-DAV ; Mon, 12 Apr 2010 16:32:59 +0000
User-Agent: Microsoft-Entourage/12.24.0.100205
Date: Mon, 12 Apr 2010 09:32:58 -0700
From: Allen Tom <atom@yahoo-inc.com>
To: Anthony Nadalin <tonynad@microsoft.com>, Torsten Lodderstedt <torsten@lodderstedt.net>, Eran Hammer-Lahav <eran@hueniverse.com>
Message-ID: <C7E8994A.2AA33%atom@yahoo-inc.com>
Thread-Topic: [OAUTH-WG] Defining a maximum token length?
Thread-Index: AQHKv+NqeBNkDGZuLk6fvcZcrhAM6pIakGKAgACWUgD//6iHcIAAL6wxgABbIo6AAJGGgIAC2DEAgAB4F90=
In-Reply-To: <A08279DC79B11C48AD587060CD93977125EFFC84@TK5EX14MBXC103.redmond.corp.microsoft.com>
Mime-version: 1.0
Content-type: multipart/alternative; boundary="B_3353909578_6423083"
X-OriginalArrivalTime: 12 Apr 2010 16:33:59.0731 (UTC) FILETIME=[F4338030:01CADA5D]
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Defining a maximum token length?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Apr 2010 16:39:02 -0000
+1 on having no limits for the Access Token length. I fully acknowledge that shorter is better in the case where access tokens are passed on the URL as query parameters (aka jsonp), there are practical URL length limits. Bigger tokens consume more network resources, which can be a severe issue for mobile devices. Likewise, not defining the token size makes it harder to client developers to size their database. That being said, given that the underlying APIs that are protected by OAuth2 are generally proprietary and are not interoperable, it¹s really up to the Service Provider to determine the appropriate requirements and limits for their Access tokens. Allen On 4/12/10 2:23 AM, "Anthony Nadalin" <tonynad@microsoft.com> wrote: > +1 > > > From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of > Torsten Lodderstedt > Sent: Friday, April 09, 2010 11:57 PM > To: Eran Hammer-Lahav > Cc: OAuth WG > Subject: Re: [OAUTH-WG] Defining a maximum token length? > > +1 no restriction, please > > 256 is much too short > > Am 10.04.2010 07:16, schrieb Eran Hammer-Lahav: > I would argue that for the spec to provide a token size limit that is greater > than 255 would cause more harm than good. This is not to say I am supporting > the 255 limit (I take no position on the matter yeah, that happens rarely). > If the spec provided a 4K limit, client libraries are likely to codify that > which will make them extremely wasteful for 99% of the popular cases on the > web today. A 4K limit doesn¹t really improve interop since the limit is so > high, no one is likely to issue even bigger tokens with public APIs. > > The 255 limit keeps the token size within the most effective database field > size limit for this type of identifier. If we cannot reach consensus on this > size limit, I don¹t think the spec should say anything. However, if I wrote a > client library, I would make it use a 255 default size limit and require a > custom configuration to enable it to use something else. > > So my proposal is 255 or no size guidance/restriction. > > EHL > > > On 4/9/10 4:49 PM, "Allen Tom" <atom@yahoo-inc.com> wrote: > I think a good precedent would be to use the HTTP Cookie size limit, which > is 4KB. > > An OAuth Access Token is like an HTTP Authorization cookie. They're both > bearer tokens that are used as a credentials for a client to access > protected resources on behalf of the end user. > > All Oauth clients have to implement HTTP anyway, so 4KB sounds like a > reasonable limit. > > Allen > > > >> > On Fri, Apr 9, 2010 at 3:14 AM, Luke Shepard <lshepard@facebook.com> wrote: > >>> >> >>> >> So, what is a reasonable limit for the token length? 1k? 2k? 4k? 5mb? I >>> >> suggest some language like this: >>> >> >>> >> > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Defining a maximum token length? David Recordon
- Re: [OAUTH-WG] Defining a maximum token length? Chuck Mortimore
- Re: [OAUTH-WG] Defining a maximum token length? Marius Scurtescu
- Re: [OAUTH-WG] Defining a maximum token length? David Recordon
- Re: [OAUTH-WG] Defining a maximum token length? Dick Hardt
- Re: [OAUTH-WG] Defining a maximum token length? Ethan Jewett
- Re: [OAUTH-WG] Defining a maximum token length? Dick Hardt
- Re: [OAUTH-WG] Defining a maximum token length? David Recordon
- Re: [OAUTH-WG] Defining a maximum token length? Dick Hardt
- Re: [OAUTH-WG] Defining a maximum token length? Marius Scurtescu
- Re: [OAUTH-WG] Defining a maximum token length? David Recordon
- Re: [OAUTH-WG] Defining a maximum token length? Dick Hardt
- Re: [OAUTH-WG] Defining a maximum token length? Torsten Lodderstedt
- Re: [OAUTH-WG] Defining a maximum token length? Luke Shepard
- Re: [OAUTH-WG] Defining a maximum token length? Brian Eaton
- Re: [OAUTH-WG] Defining a maximum token length? Torsten Lodderstedt
- Re: [OAUTH-WG] Defining a maximum token length? David Waite
- Re: [OAUTH-WG] Defining a maximum token length? Luke Shepard
- Re: [OAUTH-WG] Defining a maximum token length? Brian Eaton
- Re: [OAUTH-WG] Defining a maximum token length? Justin Smith
- Re: [OAUTH-WG] Defining a maximum token length? John Kemp
- Re: [OAUTH-WG] Defining a maximum token length? Moritz Maisel
- Re: [OAUTH-WG] Defining a maximum token length? John Kemp
- Re: [OAUTH-WG] Defining a maximum token length? Paul Lindner
- Re: [OAUTH-WG] Defining a maximum token length? John Kemp
- Re: [OAUTH-WG] Defining a maximum token length? Paul Lindner
- Re: [OAUTH-WG] Defining a maximum token length? jbemmel
- Re: [OAUTH-WG] Defining a maximum token length? Marius Scurtescu
- Re: [OAUTH-WG] Defining a maximum token length? Luke Shepard
- Re: [OAUTH-WG] Defining a maximum token length? Brian Eaton
- Re: [OAUTH-WG] Defining a maximum token length? Anthony Nadalin
- Re: [OAUTH-WG] Defining a maximum token length? Allen Tom
- Re: [OAUTH-WG] Defining a maximum token length? Eran Hammer-Lahav
- Re: [OAUTH-WG] Defining a maximum token length? Torsten Lodderstedt
- Re: [OAUTH-WG] Defining a maximum token length? Torsten Lodderstedt
- Re: [OAUTH-WG] Defining a maximum token length? John Kemp
- Re: [OAUTH-WG] Defining a maximum token length? Naitik Shah
- Re: [OAUTH-WG] Defining a maximum token length? Anthony Nadalin
- Re: [OAUTH-WG] Defining a maximum token length? Eliot Lear
- Re: [OAUTH-WG] Defining a maximum token length? Allen Tom
- Re: [OAUTH-WG] Defining a maximum token length? Eran Hammer-Lahav
- Re: [OAUTH-WG] Defining a maximum token length? Luke Shepard