I am new to oAuth and looking to build a web application using Twitter (oAuth) to authenticate. There will be no other login method other than via Twitters oAuth. I am looking for advise on best practice to secure the site based on tokens. Here is my plan:
- User is taken from my site to authenticate via Twitters site
- Generate Access token for user
- Get the users unique Twitter id via Twitter API
- Do a user lookup in local db with this id and locate access token if available.
- If no user, create new row in user table and save against the user. If user found, update access token agains the user record.
- If the user is found, md5_salt the twitterid and set as a cookie.
- If the user re-visits, lookup user based on cookie
Does that sound like a secure approach or is using the md5 twitter id a bad idea?
Appreciate any comments.
Without knowing exactly what your client/consumer application is doing, it is hard to tell whether this approach will be “secure”.
One problem I see, is that once you have an access token from twitter, how do you identify your user if the cookie gets deleted? Or would you require them to get a new access token? This would mean that they would have to both login, and authorize your application each time.
Also, an access token for one user of your app. can be stolen and used by another user of your app. since it works just like a password AND you have no authentication on your side to verify your cookie saved access token.
To answer your question then, I would have to say that using oauth as the only authentication provider, no matter how you do it, is not a best practice.
In order to be secure both the client (consumer) application, and the server (provider) application, need to verify the identity of your users. The easiest way to do this is with a username and password which are stored in your users head, and not on file somewhere…