On Mar 9, 2010, at 6:50 PM, David Recordon wrote: > Ideally we'd limit the length of access and refresh tokens as well as > client keys and secrets to no more than 255 characters (a one byte > varchar in MySQL). Is this an issue for anyone?
Yes. Why would we want to encode such a specific implementation decision into the OAuth standard (where I'm sure there are lots of folks who don't use MySQL to log tokens)? > The OAuth 1.0 protocol specifically states: > Clients should avoid making assumptions about the size of tokens and > other server-generated values, which are left undefined by this > specification. > > That seems like a poor idea when it comes to implementability of the > technology. Can you explain why this is a poor idea? It seems to me that such a statement leaves it open to implementations to create tokens that make sense for their usage and which work with their clients and partners. > Why did OAuth 1.0 make that decision? One reason I can imagine is to make it possible to encode information into the token itself so that the token can be "self-contained" (mentioned also by others on this list). A good reason to limit token length would be if there were issues in the client implementation which meant that tokens might get truncated by particular implementations - but I would guess that these would again be implementation-specific, and not something which should be standardized generally. Regards, - johnk _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
