Facebook OAuth2中的 access_token 的长度是多少?

我在谷歌和 StackOverflow 上搜索,想找到问题的答案,但是找不到。

我希望将 access _ token 存储到数据库中,以便脱机访问,并确保指定了正确的列长度。

我甚至不知道它是一个数字还是数字和字符串的混合。

70897 次浏览

Recently, our app has been seeing them longer than 100 characters. I'm still looking for documentation so I can figure out a 'safe' field size for them.

From section 1.4 of The OAuth 2.0 Authorization Protocol (draft-ietf-oauth-v2-22)

Access tokens can have different formats, structures, and methods of utilization (e.g. cryptographic properties) based on the resource server security requirements. Access token attributes and the methods used to access protected resources are beyond the scope of this specification and are defined by companion specifications.

I looked for the "companion specifications" but didn't find anything relevant and in section 11.2.2 it states

o Parameter name: access_token
o Parameter usage location: authorization response, token response
o Change controller: IETF
o Specification document(s): [[ this document ]]

Which seems to indicate that the access_token parameter is defined within this spec. Which I guess the parameter is but the actual access token isn't fully fleshed out.

Update: The latest version of this writing of the specification (draft-ietf-oauth-v2-31) includes an appendix that defines better what to expect from the access_token parameter

A.12. "access_token" Syntax

The "access_token" element is defined in Section 4.2.2 and
Section 5.1:


access-token = 1*VSCHAR

So essentially what this means is that the access_token should be at least 1 character long but there is no limit on how long defined in this specification.

Note they define VSCHAR = %x20-7E

With Facebook's recent move to encrypted access tokens, the length of the access token can be up to 255 characters. If you're storing the access token in your database, the column should be able to accommodate at least varchar(255). Here's an excerpt from Facebook's Developer blog from October 4, 2011:

"With the Encrypted Access Token migration enabled, the format of the access token has changed. The new access token format is completely opaque and you should not take any dependency on the format in your code. A varchar(255) field will be sufficient to store the new tokens."

Full blog post here: https://developers.facebook.com/blog/post/572

This answer is no longer correct, and I can't find a corrected value in FB's docs. We have been receiving access tokens that are longer than 255 characters. We're moving from VARCHAR to a SMALLTEXT instead to try to future-proof things.

I'll update the answer from the time spend.

From the OAuth2 documentation,

The access token string size is left undefined by this specification. The client should avoid making assumptions about value sizes. The authorization server should document the size of any value it issues.

(Section 4.2.2 of this document)

Note: Facebook is using OAuth2, as mentionned on this page.

So now, no informations seems to be available on the developers portail of Facebook about the length of the OAuth token. Yahoo seems to use a 400 bit long token, so it's best to assume that a TEXT column in MySQL is safer than a varchar.

I work at Facebook and I can give a definitive answer about this.

Please don't put a maximum size on the storage for an access token. We expect that they will both grow and shrink over time as we add and remove data and change how they are encoded.

We did give guidance in one place about it being 255 characters. I've updated the blog post that had that information and updated our new access token docs to include a note about sizes:

https://developers.facebook.com/docs/facebook-login/access-tokens/

Sorry for the confusion.

Facebook access token can be longer than 255 characters. I had a lot of errors like ActiveRecord::StatementInvalid: PG::StringDataRightTruncation: ERROR: value too long for type character varying(255) where the value was facebook access token. Do not use string type column because its length is limited. You can use text type column to store tokens.