403 vs 400 difference in golang client 1.20 and 1.21 for API usage on openidconnect/v1/tokenservice


The following code is a stripped down version to show that a Golang client with a version of 1.21.x gets a 403, but a 1.20.x client gets a 400.  I am not passing in a client id/secret, but if I did it would return success in 1.20 but will always return a 403 in 1.21

<h1>Error 403 Forbidden</h1>
<h3>Error 54113[Removed. Phone #s not permitted]t;/p>
<p>Varnish cache server</p>

the code example is:

package main

import (

func main() {
tokenURL := url.URL{
Scheme: "https",
Host: "www.paypal.com",
Path: "/webapps/auth/protocol/openidconnect/v1/tokenservice",
RawQuery: "grant_type=authorization_code",
values := tokenURL.Query()
requestBody := bytes.NewBufferString(values.Encode())
req, _ := http.NewRequest("POST", tokenURL.String(), requestBody)

// this line will downgrade to http1 and return a 400
//http.DefaultClient.Transport = &http.Transport{TLSClientConfig: &tls.Config{}}
resp, err := http.DefaultClient.Do(req)
if err != nil {
fmt.Printf("got an error: %v\n", err)
} else {
fmt.Printf("no error. status: %v\n", resp.StatusCode)
bodyBytes, err := io.ReadAll(resp.Body)
if err != nil {
fmt.Printf("failed to read body: %v\n", err)
fmt.Printf("body: \n%s\n", bodyBytes)

I have a bunch of trace data that I can answer various questions about differences I am seeing between version 1.20.x and 1.21.x - but wanted to start the question simply to see if others have run into a similar issue?


Thank you,


Login to Me Too


A little more information - if I change the script above from www.paypal.com to ipynb.paypal.com or api.paypal.com or even www.sandbox.paypal.com I get the expected 400, but www.paypal.com is always a 403

Login to Me Too

New Community Member

Looks like this Reddit 

Login to Me Too

Haven't Found your Answer?

It happens. Hit the "Login to Ask the community" button to create a question for the PayPal community.