Can access token be longer than 255 characters?

H

3

9

When allowing login by OAuth (such as OpenID, Facebook, Twitter, etc), we save the access token given by the Oath provider in mysql database for future authentication. In some tutorials, the column for saving access token is varchar(255) and some use text. I wonder if the access token (by common websites such as facebook and twitter) is longer than 255 character needing text column. Should we consider this possibility?

Heathenize answered 11/11, 2011 at 18:46 Comment(1)

From the spec: "The access token string size is left undefined by this specification." - tools.ietf.org/html/rfc6749#section-4.2.2 – Whinny 13/4, 2016 at 12:31

M

3

~~You won't run in to the problem with Facebook or Twitter from my experience (In 3+ years there hasn't been a problem for me on my systems storing it at length 255).~~ That said, a quick search did bring up this question on Quora http://www.quora.com/OAuth-1/Whats-the-maximum-length-of-an-OAuth-access-token-key-secret-pair

This answer is incredibly old and incorrect. Look at the latest answers. Do not limit the size of the access token.

Moisesmoishe answered 11/11, 2011 at 19:3 Comment(2)

You have to signup at quora, to read their answers. What is the quintessence of the answers there? – Bladdernose 4/4, 2013 at 20:5

Seriously, you might as well be linking to Expert's Exchange. The gist of the Quora answers are: length isn't covered in the spec; you shouldn't explicitly limit the size of a token that you'll accept; yahoo's tokens were around 400 chars at the time of the quora answer; facebook's tokens were around 344 chars at the time of a different quora answer. – Ojibwa 25/11, 2013 at 22:18

S

39

I work at Facebook and I can give a definitive answer about this.

Please don't put a maximum size on the storage for an access token. We expect that they will both grow and shrink over time as we add and remove data and change how they are encoded.

We did give guidance in one place about it being 255 characters. I've updated the blog post that had that information and updated our new access token docs to include a note about sizes:

https://developers.facebook.com/docs/facebook-login/access-tokens/

Sorry for the confusion.

Scholastic answered 3/5, 2013 at 19:8 Comment(1)

This should be the accepted answer - just ran into a problem w/ a database column that was varchar(255) and got a Facebook OAuth token that was 260 characters. – Torquemada 14/11, 2014 at 18:41

M

3

~~You won't run in to the problem with Facebook or Twitter from my experience (In 3+ years there hasn't been a problem for me on my systems storing it at length 255).~~ That said, a quick search did bring up this question on Quora http://www.quora.com/OAuth-1/Whats-the-maximum-length-of-an-OAuth-access-token-key-secret-pair

This answer is incredibly old and incorrect. Look at the latest answers. Do not limit the size of the access token.

Moisesmoishe answered 11/11, 2011 at 19:3 Comment(2)

You have to signup at quora, to read their answers. What is the quintessence of the answers there? – Bladdernose 4/4, 2013 at 20:5

Seriously, you might as well be linking to Expert's Exchange. The gist of the Quora answers are: length isn't covered in the spec; you shouldn't explicitly limit the size of a token that you'll accept; yahoo's tokens were around 400 chars at the time of the quora answer; facebook's tokens were around 344 chars at the time of a different quora answer. – Ojibwa 25/11, 2013 at 22:18

F

3

this seems outdated... Facebook now may send tokens longer than 255 chars, at least for 60 day tokens (those substituting offline access).

Have you checked this related question?

Fictional answered 19/4, 2013 at 14:10 Comment(2)

I agree, we had a problem with this, they just recently (last week) started issuing larger IDs. – Typewriting 19/4, 2013 at 14:18

Yeah, screwed my database... xD – Fictional 20/4, 2013 at 16:9

Recommended topics

Hot tags