Facebook OAuth2 中 access_token 的长度是多少?
我在 Google 和 StackOverflow 上搜索以找到问题的答案,但找不到。
我想将 access_token 存储到我的数据库中以供离线访问,并且我想确保指定列的正确长度。
我什至无法确定它只是一个数字还是数字和字符串的混合。
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(7)
我在 Facebook 工作,对此我可以给出明确的答案。
请不要为访问令牌的存储设置最大大小。我们预计,当我们添加和删除数据并更改它们的编码方式时,它们会随着时间的推移而增长和缩小。
我们确实在一处给出了关于 255 个字符的指导。我已经更新了包含该信息的博客文章,并更新了我们的新访问令牌文档以包含有关大小的注释:
https://developers.facebook.com/docs/facebook-login/access-tokens/
抱歉造成混乱。
I work at Facebook and I can give a definitive answer about this.
Please don't put a maximum size on the storage for an access token. We expect that they will both grow and shrink over time as we add and remove data and change how they are encoded.
We did give guidance in one place about it being 255 characters. I've updated the blog post that had that information and updated our new access token docs to include a note about sizes:
https://developers.facebook.com/docs/facebook-login/access-tokens/
Sorry for the confusion.
随着 Facebook 最近转向加密访问令牌,访问令牌的长度最多可达 255 个字符。如果您将访问令牌存储在数据库中,则该列应该至少能够容纳 varchar(255)。以下是 2011 年 10 月 4 日 Facebook 开发者博客的摘录:
“启用加密访问令牌迁移后,访问令牌的格式已更改。新的访问令牌格式是完全不透明的,您不应依赖于代码中的格式。 varchar(255) 字段足以存储新令牌。”
完整博客文章:https://developers.facebook.com/blog/post/572
With Facebook's recent move to encrypted access tokens, the length of the access token can be up to 255 characters. If you're storing the access token in your database, the column should be able to accommodate at least varchar(255). Here's an excerpt from Facebook's Developer blog from October 4, 2011:
"With the Encrypted Access Token migration enabled, the format of the access token has changed. The new access token format is completely opaque and you should not take any dependency on the format in your code. A varchar(255) field will be sufficient to store the new tokens."
Full blog post here: https://developers.facebook.com/blog/post/572
这个答案不再正确,我在 FB 的文档中找不到正确的值。我们收到的访问令牌长度超过 255 个字符。我们正在从 VARCHAR 转向 SMALLTEXT,以尝试面向未来的事情。
This answer is no longer correct, and I can't find a corrected value in FB's docs. We have been receiving access tokens that are longer than 255 characters. We're moving from VARCHAR to a SMALLTEXT instead to try to future-proof things.
来自
OAuth 2.0 授权协议
的第 1.4 节 (草案-ietf-oauth-v2-22)我查找了“配套规范”,但没有找到任何相关内容,并在第 11.2.2 节中指出
这似乎表明 access_token 参数是在本规范中定义的。我猜参数是,但实际的访问令牌尚未完全充实。
更新:
本规范撰写的最新版本 (draft-ietf- oauth-v2-31)包含一个附录,更好地定义了 access_token 参数的预期内容
因此,本质上这意味着 access_token 的长度应至少为 1 个字符,但本规范中定义的长度没有限制。
注意他们定义 VSCHAR = %x20-7E
From section 1.4 of
The OAuth 2.0 Authorization Protocol
(draft-ietf-oauth-v2-22)I looked for the "companion specifications" but didn't find anything relevant and in section 11.2.2 it states
Which seems to indicate that the access_token parameter is defined within this spec. Which I guess the parameter is but the actual access token isn't fully fleshed out.
Update:
The latest version of this writing of the specification (draft-ietf-oauth-v2-31) includes an appendix that defines better what to expect from the access_token parameter
So essentially what this means is that the access_token should be at least 1 character long but there is no limit on how long defined in this specification.
Note they define VSCHAR = %x20-7E
Facebook 访问令牌的长度可以超过 255 个字符。我遇到了很多错误,例如
ActiveRecord::StatementInvalid: PG::StringDataRightTruncation: ERROR: value too long for typecharacter Varying(255)
其中值是 facebook 访问令牌。不要使用string
类型列,因为它的长度是有限的。您可以使用text
类型列来存储标记。Facebook access token can be longer than 255 characters. I had a lot of errors like
ActiveRecord::StatementInvalid: PG::StringDataRightTruncation: ERROR: value too long for type character varying(255)
where the value was facebook access token. Do not usestring
type column because its length is limited. You can usetext
type column to store tokens.最近,我们的应用程序发现它们的长度超过 100 个字符。我仍在寻找文档,以便我可以为它们找出“安全”字段大小。
Recently, our app has been seeing them longer than 100 characters. I'm still looking for documentation so I can figure out a 'safe' field size for them.
我将根据花费的时间更新答案。
从 OAuth2 文档中,
(本文档第 4.2.2 节)
注意: Facebook 正在使用 OAuth2,如此页面所述。
所以现在,Facebook 的开发人员门户上似乎没有关于 OAuth 令牌长度的信息。 Yahoo 似乎使用 400 位长的令牌,因此最好假设 MySQL 中的 TEXT 列比 varchar 更安全。
I'll update the answer from the time spend.
From the OAuth2 documentation,
(Section 4.2.2 of this document)
Note: Facebook is using OAuth2, as mentionned on this page.
So now, no informations seems to be available on the developers portail of Facebook about the length of the OAuth token. Yahoo seems to use a 400 bit long token, so it's best to assume that a TEXT column in MySQL is safer than a varchar.