Session is required?

[jmtt89]

umm right now i think not is more required the session for twitter auth process, according the twitter docs only needed do three request:

1- Request Token (https://developer.twitter.com/en/docs/authentication/api-reference/request_token) -> Use Consumer Key, Secret and CallbackUrl (oauth headers) and return oauth_token and oauth_token_secret on body

2- Auth on Twitter (https://developer.twitter.com/en/docs/authentication/api-reference/authenticate) -> Use oauth_token by query params to Twitter API -> send callback to callbackUrl with oauth_token & oauth_verifier in queryparams or just get the PIN if not use callback

3- Access Token (https://developer.twitter.com/en/docs/authentication/api-reference/access_token) -> Use oauth_token & oauth_verifier (or PIN)-> receive new oauth_token, oauth_token_secret and user_id in Body

[alkihis]

Hi,

Hint for session usage is purely informative. You can use another method if you want.
Yet, between steps 1 and 2, user is redirected to Twitter website (if callback method is selected) so you need a data structure to "remember" which OAuth token secret is linked to the OAuth token returned by Twitter at step 2.

You didn't specify it in your step 3, but OAuth token secret is required to use access_token: a specific temporary instance must be created with your regular consumer keys, and OAuth token+secret combinaison as accessToken and accessSecret.

You can still use another kind of storage to link OAuth token to OAuth token secret:

• Memory store, that is heavily discouraged because of its lack of scalability
• Cookies, but this is literally a session with worse safety, because we don't want to store OAuth token secret on client-side
• Database store, that is ok but way more complex that session storage
• And many other possibilities...

[dylan1951]

Do we have to verify that the OAuth token returned in step 2 was generated in step 1 as part of the same session? Or can we simply store a map to link the oauth tokens to oauth token secrets?