On Fri, Mar 19, 2010 at 8:44 AM, <jbem...@zonnet.nl> wrote: > Hi, > > It appears that people agree excessive token length could be an issue for > interoperability, but opinions vary on how long tokens could/should/must be. > Relatively long tokens will occur when encoding data associated with the > user (access rights, group memberships, etc.), and integrity protection / > encryption techniques (relevant when tokens would be transmitted using plain > HTTP) could also lead to long tokens. > > Instead of agreeing/standardizing on a limit for token lengths, how about > specifying a parameter in which the client declares the maximum token length > it can accept? That way, at least potential interop problems due to long > tokens can be detected; the Authentication server can subsequently return an > error response if the token it would issue exceeds the client's max length
Why can't the client just check the length of the returned token and decide if it can use it or not? Much simpler than adding one extra parameter and error code. Also, the authorization server could specify the length range for its tokens in its documentation, so clients would know what to expect before implementing any code. Marius _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
