I don't normally do "web programming", but now that I have to do some of it, I have to ask: how did this end up being the security standard? (OAuth 2.0, example from PayPal's API)pic.twitter.com/nHXqajAiej
You can add location information to your Tweets, such as your city or precise location, from the web and via third-party applications. You always have the option to delete your Tweet location history. Learn more
Surely they have another factor like an IP whitelis- "PayPal doesn't require merchants to whitelist specific IP addresses to access PayPal Classic or REST APIs."
Is it possible that a government entity has asked them to do this, so they could spy in?
The client authentication method the curl command is using is client_secret_basic (RFC 6749 Section 2.3.1). There are other methods that can avoid passing the client secret directly. Whether PayPal supports such methods is a different topic, though.https://darutk.medium.com/oauth-2-0-client-authentication-4b5f929305d4 …
The JWT version looks much better, for example - however, to my knowledge that is not what any of these vendors support (ie., if PayPal or Stripe supports that model, I do not know where the docs are for it).
This is exactly why Eran Hammer, the lead of the OAuth 2 spec, resigned:https://web.archive.org/web/20130806054836/http://hueniverse.com/2012/07/oauth-2-0-and-the-road-to-hell/ …
This is exactly why the financial industry is moving to private-key-based authentication with OAuth extensions like FAPI. It hasn't hit the consumer-facing financial APIs like PayPal/Stripe yet, but it's becoming more normal in the backend of these systems.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.