Re: [OAUTH-WG] Defining a maximum token length?
Justin Smith <justinsm@microsoft.com> Wed, 10 March 2010 08:00 UTC
Return-Path: <justinsm@microsoft.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C5DE03A6765 for <oauth@core3.amsl.com>; Wed, 10 Mar 2010 00:00:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mF9jmAjnnzC7 for <oauth@core3.amsl.com>; Wed, 10 Mar 2010 00:00:34 -0800 (PST)
Received: from smtp.microsoft.com (smtp.microsoft.com [131.107.115.215]) by core3.amsl.com (Postfix) with ESMTP id B6CC53A65A6 for <oauth@ietf.org>; Wed, 10 Mar 2010 00:00:34 -0800 (PST)
Received: from TK5EX14CASC130.redmond.corp.microsoft.com (157.54.52.9) by TK5-EXGWY-E802.partners.extranet.microsoft.com (10.251.56.168) with Microsoft SMTP Server (TLS) id 8.2.176.0; Wed, 10 Mar 2010 00:00:39 -0800
Received: from TK5EX14MBXC113.redmond.corp.microsoft.com ([169.254.6.34]) by TK5EX14CASC130.redmond.corp.microsoft.com ([157.54.52.9]) with mapi; Wed, 10 Mar 2010 00:00:30 -0800
From: Justin Smith <justinsm@microsoft.com>
To: Brian Eaton <beaton@google.com>, Luke Shepard <lshepard@facebook.com>
Thread-Topic: [OAUTH-WG] Defining a maximum token length?
Thread-Index: AQHKv+NqycJ1yccFwE6yO+l3tD8Dl5Hq1h6AgAAOXYCAABOdgIAADnEAgAA29wCAAAf+AIAACVAA//9+QYA=
Date: Wed, 10 Mar 2010 07:58:34 +0000
Deferred-Delivery: Wed, 10 Mar 2010 07:59:00 +0000
Message-ID: <191F411E00E19F4E943ECDB6D65C6085168BCCCD@TK5EX14MBXC113.redmond.corp.microsoft.com>
References: <fd6741651003091550t5a464496r57aae9a60c516599@mail.gmail.com> <74caaad21003091623i8b7c343jc3bb806fe327492d@mail.gmail.com> <12ED1FAC-B9C6-47C1-AC01-AB33D110EF8C@gmail.com> <68f4a0e81003091824n5453cf4cp151f313de5fd9c5e@mail.gmail.com> <fd6741651003091916o4c3b3a3ao4dc7871ddf7df23b@mail.gmail.com> <C39B5264-75E2-456A-ABB7-D1530660BA99@alkaline-solutions.com> <D3BC6FD4-0530-4677-91C8-8B060C5DCEE3@facebook.com> <daf5b9571003092335r5443fb27taf7e9f774b7c4ad1@mail.gmail.com>
In-Reply-To: <daf5b9571003092335r5443fb27taf7e9f774b7c4ad1@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Defining a maximum token length?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Mar 2010 08:00:35 -0000
Along those lines, here's an access token (SWT w/o URL encoding) that has some role and attribute data. I think it is representative of how customers are using the OAuth WRAP implementation in AppFabric. Role=user,superuser,administrator&Action=create,retrieve,update,delete&CustomerID=123456789&Issuer=https://acsinteropdemo.accesscontrol.windows.net/&Audience=http://acsinteropdemo.appspot.com/orders&ExpiresOn=1268207444&HMACSHA256=0p1PPgCcox7uRw1ETtUTlpwBgfGAF3UhTFaHUPaprik= --justin -----Original Message----- From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Brian Eaton Sent: Tuesday, March 09, 2010 11:35 PM To: Luke Shepard Cc: OAuth WG Subject: Re: [OAUTH-WG] Defining a maximum token length? On Tue, Mar 9, 2010 at 11:02 PM, Luke Shepard <lshepard@facebook.com> wrote: > I'd still like to see someone construct an example access token that is > longer than 255 characters that would be reasonably used. If there > are real, legitimate use cases that REQUIRE more than that many > characters, then let's hear them. I don't think that appealing to > "it might be useful" is a good enough argument. Cached group memberships and other user attributes are what typically blow out the cookie size in enterprise environments. If you browse around the web for a bit you'll see various sites that set very large cookies after users log in. They are caching state in the cookie. It's all fair game for API tokens as well. Cheers, Brian _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Defining a maximum token length? David Recordon
- Re: [OAUTH-WG] Defining a maximum token length? Chuck Mortimore
- Re: [OAUTH-WG] Defining a maximum token length? Marius Scurtescu
- Re: [OAUTH-WG] Defining a maximum token length? David Recordon
- Re: [OAUTH-WG] Defining a maximum token length? Dick Hardt
- Re: [OAUTH-WG] Defining a maximum token length? Ethan Jewett
- Re: [OAUTH-WG] Defining a maximum token length? Dick Hardt
- Re: [OAUTH-WG] Defining a maximum token length? David Recordon
- Re: [OAUTH-WG] Defining a maximum token length? Dick Hardt
- Re: [OAUTH-WG] Defining a maximum token length? Marius Scurtescu
- Re: [OAUTH-WG] Defining a maximum token length? David Recordon
- Re: [OAUTH-WG] Defining a maximum token length? Dick Hardt
- Re: [OAUTH-WG] Defining a maximum token length? Torsten Lodderstedt
- Re: [OAUTH-WG] Defining a maximum token length? Luke Shepard
- Re: [OAUTH-WG] Defining a maximum token length? Brian Eaton
- Re: [OAUTH-WG] Defining a maximum token length? Torsten Lodderstedt
- Re: [OAUTH-WG] Defining a maximum token length? David Waite
- Re: [OAUTH-WG] Defining a maximum token length? Luke Shepard
- Re: [OAUTH-WG] Defining a maximum token length? Brian Eaton
- Re: [OAUTH-WG] Defining a maximum token length? Justin Smith
- Re: [OAUTH-WG] Defining a maximum token length? John Kemp
- Re: [OAUTH-WG] Defining a maximum token length? Moritz Maisel
- Re: [OAUTH-WG] Defining a maximum token length? John Kemp
- Re: [OAUTH-WG] Defining a maximum token length? Paul Lindner
- Re: [OAUTH-WG] Defining a maximum token length? John Kemp
- Re: [OAUTH-WG] Defining a maximum token length? Paul Lindner
- Re: [OAUTH-WG] Defining a maximum token length? jbemmel
- Re: [OAUTH-WG] Defining a maximum token length? Marius Scurtescu
- Re: [OAUTH-WG] Defining a maximum token length? Luke Shepard
- Re: [OAUTH-WG] Defining a maximum token length? Brian Eaton
- Re: [OAUTH-WG] Defining a maximum token length? Anthony Nadalin
- Re: [OAUTH-WG] Defining a maximum token length? Allen Tom
- Re: [OAUTH-WG] Defining a maximum token length? Eran Hammer-Lahav
- Re: [OAUTH-WG] Defining a maximum token length? Torsten Lodderstedt
- Re: [OAUTH-WG] Defining a maximum token length? Torsten Lodderstedt
- Re: [OAUTH-WG] Defining a maximum token length? John Kemp
- Re: [OAUTH-WG] Defining a maximum token length? Naitik Shah
- Re: [OAUTH-WG] Defining a maximum token length? Anthony Nadalin
- Re: [OAUTH-WG] Defining a maximum token length? Eliot Lear
- Re: [OAUTH-WG] Defining a maximum token length? Allen Tom
- Re: [OAUTH-WG] Defining a maximum token length? Eran Hammer-Lahav
- Re: [OAUTH-WG] Defining a maximum token length? Luke Shepard