What the documentation wants is that the credentials (token, bearer token, secret key ...) should be kept only with you, securely. Once you get this information you will be able to make requests on behalf of your Twitter application.
Anyone who gets their private key (API Secret) can authenticate users by passing through your application. As well as that anyone who has the token / bearer token can also use them as you like on behalf of your application. For example, you can post tweets as if your app was posted, but you did not actually do that.
For this reason, this information can not be shared or distributed, thus remaining with you alone.
I want the user instead of clicking on the Login button with Twitter using theAuth, he fills out a form with his Twitter data, username and password.
The official Twitter API, the public API, only allows you to use oAuth. It was built just so users would not enter their credentials for third parties.
There is no official way of doing what you want. What exists are gambiarras. That is to use the private API, the one that twitter uses. Except for mistakes, he had already told us how to do it. You can reverse engineer the twitter mobile application, as well as monitor the requests made by the application.
On the Twitter website you can simply monitor traffic (browsers already have this feature) and then know the endpoints .
You can try searching for someone who has already done this work, including finding people who have already made such information publicly available or even libraries in some language that uses the private API.
Once you have the passwords you can get the session cookie, this is almost a "Token", but the private API. It is usually stored in cookies (or multiple cookies), in case the mobile application API may be encrypted, requiring some reverse engineering to get the keys.
NOTE: I do not want to steal information because it is not possible ...
Now, if you ask for the password of other people ... The phrase "I do not want to steal information because it is not possible ..." is a mistake. Not only do you have the ability to "steal" your credentials, but other people can "steal your theft."
Once you request and receive the Twitter passwords you will have the passwords, you have access to such credentials. Even if you use HTTPS, the information is decrypted on your side, at best , and will be stored in "some memory", so you have access.
All in all, if the Token are passwords, I can recover the screen_name and use a crypt, I do not know if Twitter uses sha1, so I can recover the password too. If anyone knows, please report it here.
I honestly do not understand what you mean. The Token
is random, generated from your private and public key to the user who authorized your application. They are like a password from the point of view of your secrecy, since both your password and both a Token should not be shared, as well as both granting access to make interactions on your behalf.
Except for deception, oAuth2 does not use any encryption in the Token
itself, only in its traffic, this is done to make the responses faster and therefore does not require you to encrypt any Token .
If you want to keep the Token extremely secure as much as you can, in my view , it is to use asymmetric encryption and use some HSM to store the keys.