My question concerns the oauth token and secret that I obtain in the access token from Twitter for a given user. My understanding is that the token is only relevant in the context of the same service provider (Twitter) and consumer (my app). Is this correct?
If that is correct then I assume that I can store the access token details in my database in plain text because, even if my database were compromised, an attacker would require my consumer credentials to make use of the access token. (And if they managed to obtain those then the only site they could make use of these on would be Twitter.)
Any corrections to the above would gratefully received.