Ideally we'd limit the length of access and refresh tokens as well as client keys and secrets to no more than 255 characters (a one byte varchar in MySQL). Is this an issue for anyone?
The OAuth 1.0 protocol specifically states: Clients should avoid making assumptions about the size of tokens and other server-generated values, which are left undefined by this specification. That seems like a poor idea when it comes to implementability of the technology. Why did OAuth 1.0 make that decision? --David _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
