oAuth - invalidating a users credentials


#1

I’m using oAuth to let visitors login to my website using Twitter. The log in part works great. I am surprised, however, by the fact that a user can log out of Twitter from the Twitter website and still have complete access to Twitter via my website. It appears the access tokens my website maintains in the user’s session are still valid, regardless of whether the user is logged on to Twitter. That means that anyone using the computer has access to the Twitter account of the user that authorized my website’s Twitter application. Is it expected that my website visitor should log out of my website and I should then discard the access tokens in order to protect their account? This would make sense, but if I do that then the user is asked to Authorize my application every time they want to log in to my website using Twitter. That step does not seem necessary. Does Twitter require re-authorization of every app each time a user request to use it? That doesn’t seem right.

I don’t understand the expected workflow, can some help explain what the best practice is for managing twitter logins from a website?

Thanks