0

I use the Twitter API in my app. I used to store the OAuth 2 tokens of the associated Twitter account within an application config.

But now the application's users have to be able, using the web interface, to associate any number of twitter accounts, and therefore their credentials.

What would be a good way to store all the credentials?

Jedi
  • 3,906
  • 2
  • 24
  • 42
Andrii Maletskyi
  • 101
  • 3

2 Answers2

3

As described on Twitter's API OAuth doc, the user's Twitter credentials should not be needed. In other words, when you first connect your user to their Twitter account you should launch a Twitter page that grants your application access to their Twitter information. If the user is not already signed onto Twitter, through the Twitter page, they will enter their Twitter credentials. This keeps the Twitter credentials safe from you. In turn, you should have a token for your application that you keep very secure (encrypted on your site or in your application) and a token for each Twitter user that has agreed to allow your application to have access. When accessing Twitter, you use the application token to confirm who you are and the user token to confirm who the user is. As long as you store both of these in a secure location nobody should be able to spoof access.

Most people will do this by storing an application token with (or in) an application config file and the Twitter user tokens in a database. Here are additional security steps for this setup:

  • Store the config file and database separately. For example, store the config file on a web server and store the database on a database server. This makes access to these two key pieces of data harder to obtain. Unfortunately it does mean you need to servers (or VMs . . . or containers).
  • Rotate the application token on a regular basis (just as you might rotate a password or PIN.
  • Only ask Twitter for your token to be able to access the bare minimum of what you need. This way if there is a security breach they have limited access to your user's Twitter accounts.
  • Secure the servers that store the token and database as best you can.
Forest J. Handford
  • 131
  • 4
  • Maybe I was wrong when I wrote "credentials". In fact, I did mean OAuth tokens, not passwords. So if I store application token in configuration file, and user tokens in database, the app and the users are safe, right? – Andrii Maletskyi Dec 23 '16 at 15:55
  • Hi @AndriyMaletsky, yes, that is safe (presuming you secure both the database and configuration file). A criminal would need, at least, both to gain access to their Twitter account. Further security options are to limit how much you allow the token to access and change the token on a regular basis. I'll update my answer accordingly. – Forest J. Handford Dec 26 '16 at 04:57
2

If I understood you correctly you want each user to have multiple Twitter accounts. In that case you don't need to store user credentials, you just need to store multiple OAuth2 tokens for every user

Mr. E
  • 1,954
  • 9
  • 18