In my web app, users are authorized either through Twitter or Facebook.
I intend to also allow them, while logged in with, say, Twitter, to login with Facebook.
Even at this point, could a user’s account be compromised? I thought about it and couldn’t find any pitfalls, but maybe I just haven’t looked hard enough.
Moreover, I intend to store both oauth tokens in a single row in a database, so that when the user logs in with Facebook, s/he’s automatically being logged in with Twitter, too (to, e.g., be able to post to both places if s/he chooses so).
(I haven’t yet implemented this, so I won’t be surprised if it’s impossible 😉
Is this considered safe practice? I couldn’t find any potential gotchas, so I need advice from more experienced people.
As long as you keep your access tokens unavailable, storing two of them is not less secure than storing one of them.
As mentioned above, having them on the same row in a table is probably not optimal if you want to integrate more services in the future, but when that happens it surely not hard to refactor your code to satisfy that need.