But yeah, the more.

Meneus: Right, the point is you never want to give some third party site your credentials to another site

Masella: Vioz: but if you use disqus in iframe mode, the consuming website never sees any of that

Bastress: Meneus: without permission*, right?

Meneus: No, you should never do that ever

Masella: If they ask, they’re doing something bad

Sager: Not username and p***word

Masella: Because that’s what OAuth is for

Masella: That is what “credientials” means

Gearing: Mumble mumble, linkedin

Riter: But you are kind of giving them your information when you are using tokens in cookies that authenticate you, right?

Meneus: MAYBE they get your token but even that is sketchy

Gearing: Vioz: you’re giving them a limited set of information/powers

Meneus: Because then the third party site can do anything as you. even if they don’t plan on being evil with it, they are now another vector for attack on your credentials

Meneus: With oauth, as dash said, it’s a limited set of capabilities

Meneus: It’s a separate token they can use to get limited info and to make sure you are you

Raucci: Oh man, this is going to be so hard

Meneus: Don’t worry about it if you don’t need to implement oauth as a provider

Meneus: Which is a pain in the ***

Polcyn: Disqus is a provider right?

Gearing: Yeah i did the oauth funtimes for auth in our app at work last year

Nored: I’m trying to build something that’s similar to their service where someone places a script on a page to perform some operation specific to my service

Noerr: Hello I’m developing my first pro javascript lib :3 I want to know how can I use commonJS to debug?

Redcay: Those annoying requires and stuff

Gearing: Vioz: does your service manage user accounts?

Liebenthal: And I don’t feel like creating a whole server just to serve my stuff

Gearing: Vioz: then yeah you’ll need to have an oauth provider

Annabel: I just want to call it from the browser from a file

Pucket: Then I have to glue everything together

Schupbach: Dash: by “have an” you mean “be an oauth provider”?

Meneus: Felishia: well you can bundle commonJS stuff into a file using browserify

Meneus: I’m not sure where having a server comes in – you’ll still probably want one because browsers get weird if you’re trying to run code on local files

Meneus: Better to just have a server that runs locally

Burstein: Meneus, yeah yeah but I want to debug without destroying the modularity

Flournoy: Noooooode four point ooohhh

Duel: I still don’t quite follow how oauth protects you from unauthorized access. either way, there’s a token in a cookie that represents a user. i suppose a malicious script could post to my disqus-like service and pretend to be that user

Meneus: It’s all in the details

Meneus: If some attacker gets your oauth token, 1 what they can do is limited, 2 that token can be deauthorized without affecting anything about your account

Masella: Vioz: they can only do what you, the user, authorized them to do with the server. also, those tokens generally expire

Edey: Yes i think it’s all about the limited scope

Scadden: It’s a trade-off but not a bad one

Meneus: With typical oauth, you’re just allowing them to see your username and maybe some basic profile details

Masella: It’s generally why anything that asks “to post to your timeline” isn’t worth it

Meneus: MAYBE access certian other stuff, and if the thihrd party is trusted possibly even have other permissions like “post as you” or whatever

Meneus: But yeah, the more permissions you allow, the more at risk you are of something going wrong