We discourage any workflow that frequently sends users to Twitter to re-authorize an OAuth application. This really isn't the way OAuth is intended to be used.
As to your second point: yes, do NOT store keys in unencrypted cookies. On Tue, Feb 17, 2009 at 12:54, Paul Kinlan <[email protected]> wrote: > Hi Alex, > > Erm, yes and no. I understand from our service point of view that we can > hold on to the access key for as long as it is valid, however, we are trying > to create a no username system so we need to keep track of our own > session/auth cookies, which could get cleared out regularly. What happens, > then is that to log in we will need to send them to the twitter authorise > app to access the data each time they clear their cookies. So my question, > is it acceptable? I think it is, just wondering if you guys "support" this. > > One other question I am presuming the access keys should never be exposed > publically? For instance it would not be a good idea to store the key in a > cookie (we are not doing this anyway). > > Kind Regards, > Paul Kinlan. > > 2009/2/17 Alex Payne <[email protected]> >> >> Our access tokens should be long-lived enough that users shouldn't >> have to come back to Twitter. Does that answer your question? >> >> On Sat, Feb 14, 2009 at 00:39, Paul Kinlan <[email protected]> wrote: >> > Hi Guys, >> > >> > I am working developing twe2's oAuth support and I have a quick question >> > for >> > the group. Obviously, oAuth solves us having to store the twitter-ers >> > username and password on our system by delegating the authentication out >> > to >> > twitter, however, for the past couple of services I have created, the >> > twitter username and password has been the only form of identification >> > on >> > our services, basically meaning that there is no seperate login account >> > for >> > our service. >> > >> > So my question is it acceptable whenever the users' sessions on our site >> > expires to redirect the user to the oAuth "allow twe2 access" page at >> > twitter if they need to login to our site? Obviously if they never login >> > to >> > the site again the access_token may still be valid (unless they remove >> > our >> > app from their account) and the backend software still works like >> > normal, >> > but if they re-accept our application this will refresh the access token >> > but >> > I am ok with that. >> > >> > On a side note, the "Allow Access" page says the following "The >> > application >> > Twe2 by Twe2 Limited would like the ability to access and update your >> > data >> > on Twitter". We are read only application it should read "The >> > application >> > Twe2 by Twe2 Limited would like the ability to access your data on >> > Twitter" >> > >> > Kind Regards, >> > Paul Kinlan >> > >> > Twe2 Ltd - www.twe2.com >> > >> >> >> >> -- >> Alex Payne - API Lead, Twitter, Inc. >> http://twitter.com/al3x > > -- Alex Payne - API Lead, Twitter, Inc. http://twitter.com/al3x
