Avast I am a developer and I dislike the idea of people entering other accounts credentials inside of some else's software even yours. You should not be encapsulating the paypal or other web page inside of your software. I don't care if you are implementing a browser to do so. I can easily do the same thing and capture keystrokes and store somewhere or do other malicious things. You need to use OIDC which can be used even with desktop applications. I have done so with ids4 ages ago so I know it can be done. You are eroding customer's trust with your current implementation. I expect a go to paypal button to launch paypal in my browser. Get with current OIDC and OAUTH 2 flows and do it the right way.
