I don't normally do "web programming", but now that I have to do some of it, I have to ask: how did this end up being the security standard? (OAuth 2.0, example from PayPal's API)pic.twitter.com/nHXqajAiej
You can add location information to your Tweets, such as your city or precise location, from the web and via third-party applications. You always have the option to delete your Tweet location history. Learn more
Strictly speaking, you only need to authenticate to the authentication provider, not the application, so only the authentication provider needs to be in your secure enclave. But yes, it would probably have been better to use challenge-response with the password.
Am thinking a lot about this now. Spitballing here. Isn't OAuth supposed to be a spec for communication between 3rd party systems? That is, once you validated OAuth at the edge of your enclave, you don't technically need to use the same auth model within it (down to storage).
To be fair in a world where a LAMP stack runs through an interpreter on a dozen or so containers that run in a VM it's obvious that no one cares about performance.
I suppose that is a reasonable take, yes.
It's basically impossible to secure any of this, because at some point, you are sending a 'bearer token' that will be taken at face value. It can be intercepted and reused freely. OAuth2 is not secure from my POV.
A more sensible approach would be to set up a key pair between the service and the client, where the client generates it and securely stores the private key. The service stores the public key along with your account.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.