I would actually like to see the inclusion of reference tokens here also, I do think that the 255 character limit is too restrictive and needs to be revisited.
-----Original Message----- From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Brian Eaton Sent: Friday, April 09, 2010 12:12 PM To: Luke Shepard Cc: OAuth WG Subject: Re: [OAUTH-WG] Defining a maximum token length? On Fri, Apr 9, 2010 at 3:14 AM, Luke Shepard <lshep...@facebook.com> wrote: > Let's finish off the thread on token length limits. > > In summary, David Recordon proposed a length limit of 255 characters due to > database length limits ("blobs versus shorter and indexable types such as > varchars"). Several people were opposed to the 255 length limit. However, > there was general favor of a limit, but just it should be a bit longer. > > So, what is a reasonable limit for the token length? 1k? 2k? 4k? 5mb? I > suggest some language like this: > > Access tokens MUST be less than 2KB. <snip> > - SAML > (http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf) > "Persistent name identifier values MUST NOT exceed a length of 256 > characters." Note that access tokens are more like SAML assertions (which have no size limits) than persistent name identifiers. Persistent name identifiers are basically user ids. Anyone who is using access tokens in web delegation flows is going to need to be careful of size limits. But there are a bunch of use cases for access tokens outside of those flows. So would it make sense to give size recommendations based on the profile being used? Cheers, Brian _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
