On Apr 10, 2010, at 3:05 AM, Torsten Lodderstedt wrote: > Hi Allen, > > as I already posted, I don't think a size limit is a good idea.
+1 > > Regarding your example: As per RFC-2109, 4KB is the minimum size that must be > supported by user agents. The maximum size is not restricted: > "In general, user agents' cookie support should have no fixed limits.". > > Moreover, other HTTP authentication mechanisms need much more than 4KB, For > example, SPNEGO authentication headers can be up to 12392 bytes. Cheers, - johnk > > regards, > Torsten. > > Am 10.04.2010 01:49, schrieb Allen Tom: >> I think a good precedent would be to use the HTTP Cookie size limit, which >> is 4KB. >> >> An OAuth Access Token is like an HTTP Authorization cookie. They're both >> bearer tokens that are used as a credentials for a client to access >> protected resources on behalf of the end user. >> >> All Oauth clients have to implement HTTP anyway, so 4KB sounds like a >> reasonable limit. >> >> Allen >> >> >> >> >>> On Fri, Apr 9, 2010 at 3:14 AM, Luke Shepard<lshep...@facebook.com> wrote: >>> >> >>>> So, what is a reasonable limit for the token length? 1k? 2k? 4k? 5mb? I >>>> suggest some language like this: >>>> >>>> >>>> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
