Re: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13)

Tue, 11 May 2010 16:24:33 -0700 

Actually it's server side that's the problem. Many servers limit the size of 
the HTTP request headers they will accept. Apache 2.2, for example, uses the 
LimitRequestFieldSize Directive 
(http://httpd.apache.org/docs/2.2/mod/core.html). Its default size is 8190 
bytes. IIS, I Believe, defaults to around 16K. But SAML assertions can easily 
clock in at 30 or 40k without even trying.

So as a practical matter we need a way to allow clients to assert their right 
to a token using the request body so as to not need to artificially limit the 
size of the token that is being submitted.

                Yaron

> -----Original Message-----
> From: Torsten Lodderstedt [mailto:tors...@lodderstedt.net]
> Sent: Monday, May 10, 2010 10:47 PM
> To: Yaron Goland
> Cc: Eran Hammer-Lahav; OAuth WG (oauth@ietf.org)
> Subject: Re: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13)
> 
> Am 11.05.2010 01:43, schrieb Yaron Goland:
> >
> >> ---
> >>
> >> 2. Client Authentication (in flows)
> >>
> >> How should the client authenticate when making token requests? The
> >> current draft defines special request parameters for sending client
> >> credentials. Some have argued that this is not the correct way, and
> >> that the client should be using existing HTTP authentication schemes
> >> to accomplish that such as Basic.
> >>
> >> A. Client authenticates by sending its credentials using special
> >> parameters (current draft) B. Client authenticated by using HTTP
> >> Basic (or other schemes supported by the server such as Digest)
> >>
> >>
> > [Yaron Goland] A is needed at a minimum because there are physical
> limitations to how many bytes can go into an authorization header.
> >
> 
> As far as I know, 4KB is the minimum size for headers that must be supported
> by user agents, which should suffice from my point of view.
> Moreover, other HTTP authentication mechanisms need much more than
> 4KB, For example, SPNEGO authentication headers can be up to 12392 bytes.
> 
> regards,
> Torsten.
> 
> >> _______________________________________________
> >> OAuth mailing list
> >> OAuth@ietf.org
> >> https://www.ietf.org/mailman/listinfo/oauth
> >>
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth
> >
> 
> 

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to