+1 small tokens. JSON-P in IE to access protected resources has a limit of some 2000 bytes of input. While the OAuth 1.0 did not have a practical client side profile, we now do have one. This at least opens up the possibility of building browser based OAuth applications that do not need to proxy API requests to jump the cross domain boundary. To make this practically useful, the tokens would need to be small leaving as many of the 2000 bytes as possible for the API request itself.
-Naitik On Sat, Apr 10, 2010 at 6:37 AM, John Kemp <j...@jkemp.net> wrote: > On Apr 10, 2010, at 3:05 AM, Torsten Lodderstedt wrote: > > > Hi Allen, > > > > as I already posted, I don't think a size limit is a good idea. > > +1 > > > > > Regarding your example: As per RFC-2109, 4KB is the minimum size that > must be supported by user agents. The maximum size is not restricted: > > "In general, user agents' cookie support should have no fixed limits.". > > > > Moreover, other HTTP authentication mechanisms need much more than 4KB, > For example, SPNEGO authentication headers can be up to 12392 bytes. > > Cheers, > > - johnk > > > > > regards, > > Torsten. > > > > Am 10.04.2010 01:49, schrieb Allen Tom: > >> I think a good precedent would be to use the HTTP Cookie size limit, > which > >> is 4KB. > >> > >> An OAuth Access Token is like an HTTP Authorization cookie. They're both > >> bearer tokens that are used as a credentials for a client to access > >> protected resources on behalf of the end user. > >> > >> All Oauth clients have to implement HTTP anyway, so 4KB sounds like a > >> reasonable limit. > >> > >> Allen > >> > >> > >> > >> > >>> On Fri, Apr 9, 2010 at 3:14 AM, Luke Shepard<lshep...@facebook.com> > wrote: > >>> > >> > >>>> So, what is a reasonable limit for the token length? 1k? 2k? 4k? 5mb? > I > >>>> suggest some language like this: > >>>> > >>>> > >>>> > >> _______________________________________________ > >> OAuth mailing list > >> OAuth@ietf.org > >> https://www.ietf.org/mailman/listinfo/oauth > >> > > > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
