i have website it's own login/registration mechanism (php, session, user , user_profile db tables username , password, etc). let's call abc account.
i finished integrating twitter's sign-on using oauth, available "sign-on using twitter" button above normal login form.
so have scenario:
a user logs on via twitter. because twitter, unlike facebook, not proivde access user's email address, don't know if person logged in via twitter existing user (in user table) or not. create new account them (let's call "twitter" account) , prompt them merge existing "abc" account entering "abc" credentials. if , matches, store twitter username, id , token in db record abc account. next time login via twitter know in terms of abc account (ie, accounts "merged") , good!
except, i'd have ability have site send tweets on behalf, means need authorized twitter connection, have if logon via twitter button, not through abc account. reason latter have token_secret, received twitter api callback after signing, former don't. first thought of course save token_secret in db (with abc account record) remove restriction, seems equivalent of password , storing secruity hole?
to boil down question: "standard" practice store oauth token secret in db achieve i'm trying (which seems pretty standard function modern site)? . if not, what's alternative implementation?
update: looking at: best practices - store twitter credentials or not? seems not 'best practice'. seems i'm trying accomplish is...not sure how implement? maybe kind of cookie-based solution??
peter
ps -- btw, if has better way account "merge" described i'd open hearing well. did google searching couldn't find useful, although problem must have been solved many times imagine??? understanding in facebook case email can used "uniqely" identify user (ie, match them abc account), , merge without prompting (although i'm not sure totally secure?).
storing tokens twitter gives during oauth process -exactly- how should doing it. shove them in db.
Comments
Post a Comment