I don't normally do "web programming", but now that I have to do some of it, I have to ask: how did this end up being the security standard? (OAuth 2.0, example from PayPal's API)pic.twitter.com/nHXqajAiej
I'm worried that the baby thinks people can't change.
You can add location information to your Tweets, such as your city or precise location, from the web and via third-party applications. You always have the option to delete your Tweet location history. Learn more
Add this Tweet to your website by copying the code below. Learn more
Add this video to your website by copying the code below. Learn more
By embedding Twitter content in your website or app, you are agreeing to the Twitter Developer Agreement and Developer Policy.
| Country | Code | For customers of |
|---|---|---|
| United States | 40404 | (any) |
| Canada | 21212 | (any) |
| United Kingdom | 86444 | Vodafone, Orange, 3, O2 |
| Brazil | 40404 | Nextel, TIM |
| Haiti | 40404 | Digicel, Voila |
| Ireland | 51210 | Vodafone, O2 |
| India | 53000 | Bharti Airtel, Videocon, Reliance |
| Indonesia | 89887 | AXIS, 3, Telkomsel, Indosat, XL Axiata |
| Italy | 4880804 | Wind |
| 3424486444 | Vodafone | |
| » See SMS short codes for other countries | ||
This timeline is where you’ll spend most of your time, getting instant updates about what matters to you.
Hover over the profile pic and click the Following button to unfollow any account.
When you see a Tweet you love, tap the heart — it lets the person who wrote it know you shared the love.
The fastest way to share someone else’s Tweet with your followers is with a Retweet. Tap the icon to send it instantly.
Add your thoughts about any Tweet with a Reply. Find a topic you’re passionate about, and jump right in.
Get instant insight into what people are talking about now.
Follow more accounts to get instant updates about topics you care about.
See the latest conversations about any topic instantly.
Catch up instantly on the best stories happening as they unfold.
I don't normally do "web programming", but now that I have to do some of it, I have to ask: how did this end up being the security standard? (OAuth 2.0, example from PayPal's API)pic.twitter.com/nHXqajAiej
It seems to me that even a cursory look at such a security model lets you know that it is not good? Because the credentials are passed directly. This means that any breach anywhere in the entire chain from the storage to the remote endpoint leaks complete authority?
If instead you passed merely a signature of the request signed using the secret, then any breach leaks only the specific token, and not the entire client authority.
This is actually a non-trivial difference, unless I am missing something. For example, you could put the signing in a secure enclave, and then it would be protected, and still fast since only the signing must operate securely.
But with the OAuth model, you would have to put the entire application in a secure enclave, from the storage right on down to the part where the HTTPS packet gets encoded, which seems terrible for performance.
The client authentication method the curl command is using is client_secret_basic (RFC 6749 Section 2.3.1). There are other methods that can avoid passing the client secret directly. Whether PayPal supports such methods is a different topic, though.https://darutk.medium.com/oauth-2-0-client-authentication-4b5f929305d4 …
The JWT version looks much better, for example - however, to my knowledge that is not what any of these vendors support (ie., if PayPal or Stripe supports that model, I do not know where the docs are for it).
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.