Yaron, > Note that in some very popular browsers and some proxies the maximum safe URL > size is more like 2k.
2KB is sufficient for a 4096-bit RSA signature = 4096 / 8 * 4 / 3 = 683 base64 chars -- with 1.3KB over for permissions etc. > -----Original Message----- > From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf > Of Dick Hardt > Sent: Sunday, May 16, 2010 5:27 PM > To: Manger, James H > Cc: OAuth WG (oauth@ietf.org) > Subject: Re: [OAUTH-WG] in-app logout? > > > On 2010-05-16, at 5:20 PM, Manger, James H wrote: > > > Dick, > > > >> James: An important capability of the refresh token is that it *can* be a > self contained token in that is not an id, but a signed token that can be > examined and acted upon on presentation. > > > > Defining refresh_token as a URI does not prevent it being a self-contained > signed token. > > > > The only limitation implied is a URI size limit. A few KB, however, is not > > that > onerous a limit -- it is sufficient to hold a 4096-bit RSA signature with a > couple > of KB over for permissions etc.). > > Agreed, a token could be a self contained token. A design objective was > allowing existing systems to use existing tokens. > > -- Dick _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
