Along those lines, here's an access token (SWT w/o URL encoding) that has some role and attribute data. I think it is representative of how customers are using the OAuth WRAP implementation in AppFabric.
Role=user,superuser,administrator&Action=create,retrieve,update,delete&CustomerID=123456789&Issuer=https://acsinteropdemo.accesscontrol.windows.net/&Audience=http://acsinteropdemo.appspot.com/orders&ExpiresOn=1268207444&HMACSHA256=0p1PPgCcox7uRw1ETtUTlpwBgfGAF3UhTFaHUPaprik= --justin -----Original Message----- From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Brian Eaton Sent: Tuesday, March 09, 2010 11:35 PM To: Luke Shepard Cc: OAuth WG Subject: Re: [OAUTH-WG] Defining a maximum token length? On Tue, Mar 9, 2010 at 11:02 PM, Luke Shepard <lshep...@facebook.com> wrote: > I'd still like to see someone construct an example access token that is > longer than 255 characters that would be reasonably used. If there > are real, legitimate use cases that REQUIRE more than that many > characters, then let's hear them. I don't think that appealing to > "it might be useful" is a good enough argument. Cached group memberships and other user attributes are what typically blow out the cookie size in enterprise environments. If you browse around the web for a bit you'll see various sites that set very large cookies after users log in. They are caching state in the cookie. It's all fair game for API tokens as well. Cheers, Brian _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth