Reverse Auth - After Step 3


#1

I have successfully implemented Reverse Auth using an iOS app and a .net service. I am using the hybrid model that stores the app secret key on the server (so it does not need to be stored in the app)

My end purpose is to know that the user who has signed on is a specific twitter user, so I do not have to manage identity myself. I will store their user id along with their profile in my database.

The steps that I am currently taking are

  1. Request an oauth access token from my web service
  2. Perform reverse authentication with the access token and the twitter account signed on in the iOS app
  3. Send the results of step 2 to the my web service

My question is this:

When my web service receives the response from step 3 what are the next steps?

Does it then need to validate that these credentials are correct by calling twitter and verifying that the results given match the app identifier and secret key?
What is the usual process?