I am new to oAuth and looking to build a web application using Twitter (oAuth) to authenticate. There will be no other login method other than via Twitters oAuth. I am looking for advise on best practice to secure the site based on tokens. Here is my plan:
- User is taken from my site to authenticate via Twitters site
- Generate Access token for user
- Get the users unique Twitter id via Twitter API
- Do a user lookup in local db with this id and locate access token if available.
- If no user, create new row in user table and save against the user. If user found, update access token agains the user record.
- If the user is found, md5_salt the twitterid and set as a cookie.
- If the user re-visits, lookup user based on cookie
Does that sound like a secure approach or is using the md5 twitter id a bad idea?
Appreciate any comments.