Menu
In my web app, users are authorized either through Twitter or Facebook. I intend to also allow them, while logged in with, say, Twitter, to login with Facebook.
Even at this point, could a user's account be compromised? I thought about it and couldn't find any pitfalls, but maybe I just haven't looked hard enough.
Moreover, I intend to store both oauth tokens in a single row in a database, so that when the user logs in with Facebook, s/he's automatically being logged in with Twitter, too (to, e.g., be able to post to both places if s/he chooses so). (I haven't yet implemented this, so I won't be surprised if it's impossible ;)
Is this considered safe practice? I couldn't find any potential gotchas, so I need advice from more experienced people.
599
A standard for user authentication using OAuth: OpenID Connect. OpenID Connect is an open standard published in early 2014 that defines an interoperable way to use OAuth 2.0 to perform user authentication.
Let's start with the biggest reason why OAuth isn't authentication: access tokens are not intended for the client application. When an authorization server issues an access token, the intended audience is the protected resource. After all, this is what the token is providing access to.
Perhaps the most infamous OAuth-based vulnerability is when the configuration of the OAuth service itself enables attackers to steal authorization codes or access tokens associated with other users' accounts. By stealing a valid code or token, the attacker may be able to access the victim's data.
As long as you keep your access tokens unavailable, storing two of them is not less secure than storing one of them.
As mentioned above, having them on the same row in a table is probably not optimal if you want to integrate more services in the future, but when that happens it surely not hard to refactor your code to satisfy that need.
88
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
