I don't normally do "web programming", but now that I have to do some of it, I have to ask: how did this end up being the security standard? (OAuth 2.0, example from PayPal's API)

It seems to me that even a cursory look at such a security model lets you know that it is not good? Because the credentials are passed directly. This means that any breach anywhere in the entire chain from the storage to the remote endpoint leaks complete authority?

If instead you passed merely a signature of the request signed using the secret, then any breach leaks only the specific token, and not the entire client authority.

This is actually a non-trivial difference, unless I am missing something. For example, you could put the signing in a secure enclave, and then it would be protected, and still fast since only the signing must operate securely.

But with the OAuth model, you would have to put the entire application in a secure enclave, from the storage right on down to the part where the HTTPS packet gets encoded, which seems terrible for performance.

Anyway, just thought I'd mention it. If I were designing something doing financial transactions (@paypal, @stripe, etc.), I would have been very nervous about this, but apparently that was not the case?