I believe that Google wishes to encode information within access tokens so that they can be verified in a stateless manner. Brian, how many characters do you need?
On Tue, Mar 9, 2010 at 4:23 PM, Marius Scurtescu <[email protected]> wrote: > On Tue, Mar 9, 2010 at 3:50 PM, David Recordon <[email protected]> wrote: >> Ideally we'd limit the length of access and refresh tokens as well as >> client keys and secrets to no more than 255 characters (a one byte >> varchar in MySQL). > > Add verification codes to the list as well. > > >> Is this an issue for anyone? > > Not sure if anyone really wants to do this, but long tokens would > allow you to implement a stateless authorization server. A refresh > token can encrypt all the information needed to issue an access toke, > similar for a verification code. Such a server could either not deal > with revocations and replays, or track state only for revoked refresh > tokens and used verification codes. > > That being said, I don't see a problem with limiting the lengths. > > > Marius > _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
