1

I have an application that I've developed in .NET 4.0/C#. It's designed to be used by customers that want to watch hardware sensors and alert them of specific values. One option for notification is by "tweeting" to a Twitter account of their choice. Before Twitter changed to OAuth, users entered their account name and password and this was enough to send Tweets on their behalf.

After reading up on the Twitter API and OAuth, I want to see if I understand correctly the best way to maintain this functionality.

I've registered my application with dev.twitter.com and obtained the necessary Consumer Key and Consumer Secret.

The application may potentially need to tweet to more than one Twitter account as it is used by multiple users per installation.

If I understand things correctly I will need to do the following:

  1. Provide some sort of "Request Authorization" button on a per-user basis, which launches a Twitter authentication web site. There, the user logs in and is then provided with a PIN number.

  2. Use the PIN number to obtain the user's AccessToken and AccessTokenSecret.

  3. Store both of these tokens between sessions (launches) of the application.

My questions:

  1. Should I encrypt either of these tokens when storing (in SQL)?

  2. Is it ever necessary to re-authorize? The program is intended to be setup just once, then run unattended. Re-authorizing accounts will be a deal-breaker.

Though it shouldn't affect any answers or advice, I am using the TweetSharp library.

JYelton
  • 35,664
  • 27
  • 132
  • 191

1 Answers1

1

Your understanding seems pretty good to me.

  1. It depends on how you store your consumer key and secret. If an attacker could gain those and the user's tokens, then that would be bad. The tokens aren't much use without your tokens too.
  2. Only if the user revokes their authorisation.
Jon
  • 16,212
  • 8
  • 50
  • 62