发表新帖
发表新帖

What are the characteristics of an OAuth token?

后端 未结
关注
7 1994
谎友^
谎友^ 2021-02-04 00:52

How many characters long can an oauth access token and oauth access secret be and what are the allowed characters? I need to store them in a d

相关标签:
7条回答
  • 天涯浪人
    2021-02-04 01:03

    As most people already pointed out. The OAuth specification doesn't give you exact directions but they do say...

    cited from: http://tools.ietf.org/html/draft-hammer-oauth-10#section-4.9

    "Servers should be careful to assign shared-secrets which are long enough, and random enough, to resist such attacks for at least the length of time that the shared-secrets are valid."

    "Of course, servers are urged to err on the side of caution, and use the longest secrets reasonable."

    on the other hand, you should consider the maximum URL length of browsers:

    see: http://www.boutell.com/newfaq/misc/urllength.html

    0 讨论(0)
  • 后悔当初
    2021-02-04 01:04

    I am not sure there are any explicit limits. The spec doesn't have any. That said, OAuth tokens are often passed as url parameters and so have some of the same limitations. ie need to be properly encoded, etc.

    0 讨论(0)
  • 余生分开走
    2021-02-04 01:04

    An OAuth token is conceptually an arbitrary-sized sequence of bytes, not characters. In URLs, it gets encoded using standard URL escaping mechanisms:

      unreserved = ALPHA, DIGIT, '-', '.', '_', '~'

    Everything not unreserved gets %-encoded.

    I'm not sure whether you just talk about the oauth_token parameter that gets passed around. Usually, additional parameters need to be stored and transmitted as well, such as oauth_token_secret, oauth_signature, etc. Some of them have different data types, for example, oauth_timestamp is an integer representing seconds since 1970 (encoded in decimal ASCII digits).

    0 讨论(0)
  • 醉话见心
    2021-02-04 01:05

    OAuth doesn't specify the format or content of a token. We simply use encrypted name-value pairs as token. You can use any characters in token but it's much easier to handle if the token is URL-safe. We achieve this by encoding the ciphertext with an URL-safe Base64.

    0 讨论(0)
  • 不思量自难忘°
    2021-02-04 01:05

    To be specific, even if Oauth spec doesn't say anything, if you are using java and mysql then it will be 16 characters as we generally generate the tokens using UUID and store it as BINARY(16) in the database. I know these details as I have recently done the development using OAuth.

    0 讨论(0)
  • 再見小時候
    2021-02-04 01:09

    If you read the spec, it says,

    The authorization server issues the registered client a client
    identifier - a unique string representing the registration
    information provided by the client. The client identifier is not a
    secret; it is exposed to the resource owner, and MUST NOT be used
    alone for client authentication. The client identifier is unique to
    the authorization server.

    The client identifier string size is left undefined by this
    specification. The client should avoid making assumptions about the
    identifier size. The authorization server SHOULD document the size
    of any identifier it issues.

    Second, Access Token should be sent as header, not as a URL param.

    Authorization: Bearer < token>.

    0 讨论(0)
 看不清?
提交回复
热议问题