On Tue, Mar 9, 2010 at 3:50 PM, David Recordon <record...@gmail.com> wrote: > Ideally we'd limit the length of access and refresh tokens as well as > client keys and secrets to no more than 255 characters (a one byte > varchar in MySQL).
Add verification codes to the list as well. > Is this an issue for anyone? Not sure if anyone really wants to do this, but long tokens would allow you to implement a stateless authorization server. A refresh token can encrypt all the information needed to issue an access toke, similar for a verification code. Such a server could either not deal with revocations and replays, or track state only for revoked refresh tokens and used verification codes. That being said, I don't see a problem with limiting the lengths. Marius _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth