On Fri, Apr 9, 2010 at 3:14 AM, Luke Shepard <[email protected]> wrote: > Let's finish off the thread on token length limits. > > In summary, David Recordon proposed a length limit of 255 characters due to > database length limits ("blobs versus shorter and indexable types such as > varchars"). Several people were opposed to the 255 length limit. However, > there was general favor of a limit, but just it should be a bit longer. > > So, what is a reasonable limit for the token length? 1k? 2k? 4k? 5mb? I > suggest some language like this: > > Access tokens MUST be less than 2KB. <snip> > - SAML (http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf) > "Persistent name identifier values MUST NOT exceed a length of 256 > characters."
Note that access tokens are more like SAML assertions (which have no size limits) than persistent name identifiers. Persistent name identifiers are basically user ids. Anyone who is using access tokens in web delegation flows is going to need to be careful of size limits. But there are a bunch of use cases for access tokens outside of those flows. So would it make sense to give size recommendations based on the profile being used? Cheers, Brian _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
