Mark Sapiro writes:
The last I looked into using Twitter as an OAuth2 provider, which was some time ago, it would not work because Twitter would not provide the user's email address via OAuth2. Possibly this could work if the user's name was her Twitter handle.
Yeah, but then I (@yasegumi@twitter) could log in as yasegumi@example.com and every other yasegumi in the world. There probably aren't any of those that aren't me, but of the 30 kids in my 6th grade class 5 were named something with the diminuative "Steve", and we also had one Stephanie. So I could log in as steve@turnbull.sk.tsukuba.ac.jp (that's me) or steve@xemacs.org (that's not me, I'm stephen@xemacs.org), or steve@any.old.com. Not good.
Also, I wouldn't trust Musk's Twitter with no security staff left to give out only confirmed email addresses. If they give out any address you gave them, then anybody can spoof anybody. So I would advise not using Twitter as an idP under any conditions, unless it's to prove you own a Twitter handle.
Steve