Hi,
It appears that people agree excessive token length could be an issue
for interoperability, but opinions vary on how long tokens
could/should/must be. Relatively long tokens will occur when encoding
data associated with the user (access rights, group memberships, etc.),
and integrity protection / encryption techniques (relevant when tokens
would be transmitted using plain HTTP) could also lead to long tokens.
Instead of agreeing/standardizing on a limit for token lengths, how
about specifying a parameter in which the client declares the maximum
token length it can accept? That way, at least potential interop
problems due to long tokens can be detected; the Authentication server
can subsequently return an error response if the token it would issue
exceeds the client's max length
Regards,
Jeroen
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
