+1
If the system just needs a random identifier with state maintained on
the server, then the current tokens are fine. For those systems that
plan to encrypt data in the scopes (or use JWTs) they will be much larger.
Thanks,
George
On 7/7/11 9:24 AM, William J. Mills wrote:
Access tokens realistically may be longer as they may have encrypted
scopes and such.
------------------------------------------------------------------------
*From:* Eran Hammer-Lahav <[email protected]>
*To:* Brian Campbell <[email protected]>; Oleg Gryb
<[email protected]>
*Cc:* OAuth WG <[email protected]>
*Sent:* Wednesday, July 6, 2011 8:53 PM
*Subject:* Re: [OAUTH-WG] Example tokens
Does that apply to access tokens, refresh tokens, and authorization
codes? I can try squeezing in 22 characters.
EHL
> -----Original Message-----
> From: Brian Campbell [mailto:[email protected]
<mailto:[email protected]>]
> Sent: Wednesday, July 06, 2011 8:46 PM
> To: Oleg Gryb
> Cc: Eran Hammer-Lahav; OAuth WG
> Subject: Re: [OAUTH-WG] Example tokens
>
> So on the 128-bit note, the examples could probably be a bit shorter,
> 22 characters would give somewhat more than 128 bits of randomness.
> But to EHL's original question, the examples (currently 7-12
> characters) should probably be longer.
>
> On Wed, Jul 6, 2011 at 5:27 PM, Oleg Gryb <[email protected]
<mailto:[email protected]>> wrote:
> > log2(64^27)=162 bits
> >
> > Looks good. For comparison, 128-bit entropy for a key in symmetric
> > encryption used by SSL is considered as strong.
> > I'm assuming that all those 162 bits are generated by a good
randomizer.
> >
> >
> >
> >
> > ----- Original Message ----
> >> From: Brian Campbell <[email protected]
<mailto:[email protected]>>
> >> To: Eran Hammer-Lahav <[email protected]
<mailto:[email protected]>>
> >> Cc: OAuth WG <[email protected] <mailto:[email protected]>>
> >> Sent: Wed, July 6, 2011 4:06:29 PM
> >> Subject: Re: [OAUTH-WG] Example tokens
> >>
> >> If I've done the math correctly, 27 characters would give you a
> >> little more than 20 bytes worth of randomness (assuming your are
> >> using random alphanumeric characters or base64url encoded bytes).
> >> 20 bytes is something you see as a SHOULD type minimum length in
> >> other protocols for random identifiers. Not sure if that's
> >> sufficient reasoning but it's what I can come up with.
> >>
> >> On Wed, Jul 6, 2011 at 4:40 PM, Eran Hammer-Lahav
> >> <[email protected] <mailto:[email protected]>>
> > wrote:
> >> > Are the tokens used in the examples long enough? I don't want the
> >> > examples
> >> > to demonstrate poor choice of byte count.
> >> > EHL
> >> > _______________________________________________
> >> > OAuth mailing list
> >> > [email protected] <mailto:[email protected]>
> >> > https://www.ietf.org/mailman/listinfo/oauth
> >> >
> >> >
> >> _______________________________________________
> >> OAuth mailing list
> >> [email protected] <mailto:[email protected]>
> >> https://www.ietf.org/mailman/listinfo/oauth
> >>
> >
_______________________________________________
OAuth mailing list
[email protected] <mailto:[email protected]>
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
