Should you store Twitter OAuth oauth_token and oauth_token_secret?

Question

I'm trying to implement a "Login with twitter" functionality into my site and I've been digging up some tutorials on it.

Correct me if I'm wrong, the oauth_token and oauth_token_secret values changes whenever a user requests for them. Also I noticed that there isn't any practical use for the stored oauth_token and oauth_token_secret

As such is it necessary to store and update oauth_token and oauth_token_secret frequently in the database?

Oh, and welcome to Stack Overflow :) Enjoy your time here! – Adrian Petrescu Sep 10 '11 at 17:59 — Adrian Petrescu, Sep 10 '11 at 17:59

score 11 · Accepted Answer · answered Sep 10 '11 at 17:58

You're correct that the OAuth tokens may change if you request them again -- but if you don't request them again, they don't expire for a very long time. Therefore, the best strategy is to request OAuth tokens once when your user registers, store them in the database, and keep using the same ones, without requesting new ones the next time they sign in.

Of course, when you make a call later, you may find that the OAuth tokens are now rejected. This can happen for a number of reasons, most likely the user has revoked access from the Twitter settings page. At that time you should request a new set and overwrite the old ones. But it is unnecessary to do so unless the old ones stop working.

If your identifying users by the `oauth_token` they give but it changes then how do you link a user to an account on your site? — Dan, Jan 31 '12 at 19:31
I think it is ok to store the credentials in JWT as long as JWT is stored as http-only cookie for preventing XSS. Am I right? — Qiang, Feb 05 '17 at 18:46

Should you store Twitter OAuth oauth_token and oauth_token_secret?

1 Answers1