I found a great article on getting started using the Twitter API for authenticating users.
I see that in a normal web app you would write the user’s name and OAuth token/secret to a database. My confusion just stems from how you handle users from that point on. Do you just send them to twitter each time to verify and store these for use in a session variable after logging in? Or is this more of a “associate twitter with your account” than it is a “log in to our site via twitter”?
Finally, I believe I read elsewhere that the OAuth user token and secret are non-expiring (or at least long lasting). Wouldn’t that allow creation of rogue apps that can tweet as a user? I have no intention of that, of course, but it does seem that’s the case.
I guess you could call it “associate Twitter with your identity on this website.” Once someone authenticates themselves with a Twitter login, you can continue using their stored tokens to read and update their account. You should not ask them to keep logging in through Twitter on each visit. That is just annoying. You would use a cookie to tell you who they are when they visit your site, so you could get their stored tokens.
Yes, this does allow apps to tweet as the user, but when they do so, the source at the bottom of the tweets shows which app made the tweet. If the user doesn’t approve, they can delete the tweet and remove their approval for that app to reach their account. They do this in their Twitter profile settings on Twitter.com. This is a much better model than the old way of giving an app your user name and password. The only option then was to change your password, which would invalidate all your apps.