Meneus: Right, the point is you never want to give some third party site your credentials to another site
Masella: Vioz: but if you use disqus in iframe mode, the consuming website never sees any of that
Bastress: Meneus: without permission*, right?
Meneus: No, you should never do that ever
Masella: If they ask, they’re doing something bad
Sager: Not username and p***word
Masella: Because that’s what OAuth is for
Masella: That is what “credientials” means
Gearing: Mumble mumble, linkedin
Riter: But you are kind of giving them your information when you are using tokens in cookies that authenticate you, right?
Meneus: MAYBE they get your token but even that is sketchy
Gearing: Vioz: you’re giving them a limited set of information/powers
Meneus: Because then the third party site can do anything as you. even if they don’t plan on being evil with it, they are now another vector for attack on your credentials
Meneus: With oauth, as dash said, it’s a limited set of capabilities
Meneus: It’s a separate token they can use to get limited info and to make sure you are you
Raucci: Oh man, this is going to be so hard
Meneus: Don’t worry about it if you don’t need to implement oauth as a provider
Meneus: Which is a pain in the ***
Polcyn: Disqus is a provider right?
Gearing: Yeah i did the oauth funtimes for auth in our app at work last year
Nored: I’m trying to build something that’s similar to their service where someone places a script on a page to perform some operation specific to my service
Noerr: Hello I’m developing my first pro javascript lib :3 I want to know how can I use commonJS to debug?
Redcay: Those annoying requires and stuff
Gearing: Vioz: does your service manage user accounts?
Liebenthal: And I don’t feel like creating a whole server just to serve my stuff
Gearing: Vioz: then yeah you’ll need to have an oauth provider
Annabel: I just want to call it from the browser from a file
Pucket: Then I have to glue everything together
Schupbach: Dash: by “have an” you mean “be an oauth provider”?
Meneus: Felishia: well you can bundle commonJS stuff into a file using browserify
Meneus: I’m not sure where having a server comes in – you’ll still probably want one because browsers get weird if you’re trying to run code on local files
Meneus: Better to just have a server that runs locally
Burstein: Meneus, yeah yeah but I want to debug without destroying the modularity
Flournoy: Noooooode four point ooohhh
Duel: I still don’t quite follow how oauth protects you from unauthorized access. either way, there’s a token in a cookie that represents a user. i suppose a malicious script could post to my disqus-like service and pretend to be that user
Meneus: It’s all in the details
Meneus: If some attacker gets your oauth token, 1 what they can do is limited, 2 that token can be deauthorized without affecting anything about your account
Masella: Vioz: they can only do what you, the user, authorized them to do with the server. also, those tokens generally expire
Edey: Yes i think it’s all about the limited scope
Scadden: It’s a trade-off but not a bad one
Meneus: With typical oauth, you’re just allowing them to see your username and maybe some basic profile details
Masella: It’s generally why anything that asks “to post to your timeline” isn’t worth it
Meneus: MAYBE access certian other stuff, and if the thihrd party is trusted possibly even have other permissions like “post as you” or whatever
Meneus: But yeah, the more permissions you allow, the more at risk you are of something going wrong