Hi Allen,
as I already posted, I don't think a size limit is a good idea.
Regarding your example: As per RFC-2109, 4KB is the minimum size that
must be supported by user agents. The maximum size is not restricted:
"In general, user agents' cookie support should have no fixed limits.".
Moreover, other HTTP authentication mechanisms need much more than 4KB,
For example, SPNEGO authentication headers can be up to 12392 bytes.
regards,
Torsten.
Am 10.04.2010 01:49, schrieb Allen Tom:
I think a good precedent would be to use the HTTP Cookie size limit, which
is 4KB.
An OAuth Access Token is like an HTTP Authorization cookie. They're both
bearer tokens that are used as a credentials for a client to access
protected resources on behalf of the end user.
All Oauth clients have to implement HTTP anyway, so 4KB sounds like a
reasonable limit.
Allen
On Fri, Apr 9, 2010 at 3:14 AM, Luke Shepard<lshep...@facebook.com> wrote:
So, what is a reasonable limit for the token length? 1k? 2k? 4k? 5mb? I
suggest some language like this:
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
