Let's finish off the thread on token length limits.
In summary, David Recordon proposed a length limit of 255 characters due to
database length limits ("blobs versus shorter and indexable types such as
varchars"). Several people were opposed to the 255 length limit. However, there
was general favor of a limit, but just it should be a bit longer.
So, what is a reasonable limit for the token length? 1k? 2k? 4k? 5mb? I
suggest some language like this:
Access tokens MUST be less than 2KB.
Here are some representative comments from the thread:
David Recordon:
"The challenge is that client developers (who we really want to make
OAuth dead simple for) will be forced to use less optimal storage for tokens
(blobs versus shorter and indexable types such as varchars)."
Chuck Mortimore:
"Standards have size limits to overcome operational issues all the
time."
Dick Hardt:
"I would not want to limit them anymore than they need to be... I do
see the need to make it clear that it can be a few K or something"
Ethan Jewett:
"I've heard tell of Yahoo access tokens with encoded information
weighing in at up to 800 characters."
Torsten Lodderstedt:
"For our token format, access token length would vary between 200 and
700 Bytes."
David Waite:
"access tokens shouldn't be required to be over an order of magnitude
smaller than browser cookies or HTTP headers... there are accepted 'minimum
maximums' out there - which the minimum size that user agents are expected to
support, and the maximum size the server will assume be supported by an
arbitrary agent."
John Kemp:
"Why would we want to encode such a specific implementation decision
into the OAuth standard?"
And there were some cited precedents for length limits in standards:
- SAML (http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf)
"Persistent name identifier values MUST NOT exceed a length of 256
characters."
- Email
http://www.faqs.org/rfcs/rfc2822.html)
There are two limits that this standard places on the number of
characters in a line. Each line of characters MUST be no more than
998 characters, and SHOULD be no more than 78 characters, excluding the CRLF.
http://www.ietf.org/rfc/rfc2821.txt
There are several objects that have required minimum/maximum sizes.
Every implementation MUST be able to receive objects of at least
these sizes. Objects larger than these sizes SHOULD be avoided when
possible. However, some Internet mail constructs such as encoded
X.400 addresses [16] will often require larger objects: clients MAY
attempt to transmit these, but MUST be prepared for a server to
reject them if they cannot be handled by it. To the maximum extent
possible, implementation techniques which impose no limits on the
length of these objects should be used.
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
