When allowing login by OAuth (such as OpenID, Facebook, Twitter, etc), we save the access token given by the Oath provider in mysql database for future authentication. In some tutorials, the column for saving access token is varchar(255) and some use text. I wonder if the access token (by common websites such as facebook and twitter) is longer than 255 character needing text column. Should we consider this possibility?
Asked
Active
Viewed 1.7k times
9
Googlebot
- 15,159
- 44
- 133
- 229
-
From the spec: "The access token string size is left undefined by this specification." - https://tools.ietf.org/html/rfc6749#section-4.2.2 – AlikElzin-kilaka Apr 13 '16 at 12:31
3 Answers
37
I work at Facebook and I can give a definitive answer about this.
Please don't put a maximum size on the storage for an access token. We expect that they will both grow and shrink over time as we add and remove data and change how they are encoded.
We did give guidance in one place about it being 255 characters. I've updated the blog post that had that information and updated our new access token docs to include a note about sizes:
https://developers.facebook.com/docs/facebook-login/access-tokens/
Sorry for the confusion.
Christopher Blizzard
- 1,928
- 1
- 15
- 10
-
3This should be the accepted answer - just ran into a problem w/ a database column that was varchar(255) and got a Facebook OAuth token that was 260 characters. – Mike Desjardins Nov 14 '14 at 18:41
3
this seems outdated... Facebook now may send tokens longer than 255 chars, at least for 60 day tokens (those substituting offline access).
Have you checked this related question?
-
I agree, we had a problem with this, they just recently (last week) started issuing larger IDs. – covati Apr 19 '13 at 14:18
-
3
You won't run in to the problem with Facebook or Twitter from my experience (In 3+ years there hasn't been a problem for me on my systems storing it at length 255). That said, a quick search did bring up this question on Quora http://www.quora.com/OAuth-1/Whats-the-maximum-length-of-an-OAuth-access-token-key-secret-pair
This answer is incredibly old and incorrect. Look at the latest answers. Do not limit the size of the access token.
Adrian Rodriguez
- 3,232
- 2
- 24
- 34
-
You have to signup at quora, to read their answers. What is the quintessence of the answers there? – Marvin Dickhaus Apr 04 '13 at 20:05
-
4Seriously, you might as well be linking to Expert's Exchange. The gist of the Quora answers are: length isn't covered in the spec; you shouldn't explicitly limit the size of a token that you'll accept; yahoo's tokens were around 400 chars at the time of the quora answer; facebook's tokens were around 344 chars at the time of a different quora answer. – Kevin Nov 25 '13 at 22:18