+1 on removing the recommendation to keep the tokens shorter than 255 chars.
While it's certainly a good idea to keep tokens reasonably compact, the same way it's a great idea to keep URLs and Cookies short, the statement in the spec doesn't really do much. In practice, the tokens/urls/parameters need to be short enough such that the resulting URLs are less than 2KB (to support useragents and proxy servers that truncate long URLs) and that the HTTP Authorization header is less than the maximum allowed size (?? chars). I do acknowledge that it's ideal to specify a size limit on tokens - it makes life easier for implementers so that they'll be able to size their databases, and bandwidth/CPU constrained devices (aka mobile) will also benefit from having compact tokens. Allen On 4/1/10 11:37 AM, "Marius Scurtescu" <mscurte...@google.com> wrote: > +1 on all comments, except for some question on 6... > > > On Thu, Apr 1, 2010 at 11:06 AM, Justin Smith <justi...@microsoft.com> wrote: >> Eran, >> >> Good progress. A few comments below: >> >> Sec. 2.2. Flow Parameters: >> Comment 1: The recommendation to keep access tokens less than 255 chars seems >> bizarre. I'd like to remove it entirely. Previous threads have discussed >> this. > _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
