Whoa- are we seriously saying we need more than 255 characters to encode a
token? (By the way, that's 10^396 combinations, with letters and numbers.)
Having short tokens makes the whole protocol much simpler, more approachable,
easy to use for developers. I will push hard to keep them short and sweet.
For example, here's what would be needed in a naive, stateless Facebook access
token:
- 32-char api_key (client identifier)
- 42-char session key
- 20-char user id (max)
- 20-char signature
All that comes to 114 characters max, which I still consider to be way too
long. With a few additional optimizations (cut the signature length, base
convert the app ID), it becomes closer to 70 characters, and I haven't even
started trying to compress it or anything yet.
Here's what that URL would look like:
http://example.com/oauth_endpoint?wrap_access_token=2m2zpk2w|2.5ybrE_bzYCp6A7_pK5PDVA__.3600.1268200800-2901279|aCe23FSrNM.
For comparison, here's a URL with a 255-character access token:
http://example.com/oauth_endpoint?9295730172112|2.5ybrE_bzYCp6A7_pK5PDVA__.3600.1268200800-2901279|zpssaSxclo9eWs7Jw1Hga3FSrN9295730172112|2.5ybrE_bzYCp6A7_pK5PDVA__.3600.1268200800-2901279|zpssaSxclo9eWs7Jw1Hga3FSrNM9295730172112|2.5ybrE_bzYCp6A7_pK5PDVA__.3600.1268200800-2901279|zpcloMM'
Isn't that ugly? At least in my email window, the first URL fits on one line
while the other stretches to three. This is starting to remind me of some
OpenID URLs I've seen.
Torsten just replied:
> So access token would
> contain the following data: User Id, Consumer id, context(s), validity,
> authentication methods, user attributes, user permissions, digital
> signature, token id ... length would vary between 200 and 700 Bytes.
Can you give a representative example of that? I find it hard to believe that
even all of those attributes couldn't fit into a much shorter token, if smartly
sized.
Thanks,
Luke
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
