Vioz: pretend to be you.

 
Popiolek: To make it a little more relevant, i visit google.com but i POST to disqus.com, i will be sending google cookies instead of disqus cookies?

Masella: No. you will send disqus cookies

Bochenski: Then i think i can do what disqus is doing

Masella: It’s based on the request you’re making, not the request you already made

Fede: I.e. offering cross domain authentications

Masella: Of course you can! how else would disqus do it?

Masella: If you couldn’t do it, how could disqus do it?

Masella: Also, why not just ask “how do i do what disqus does?” up front so i know that’s what you’re driving at?

Meneus: There are restrictions on sending cross-domain cookies like that to prevent XSS attacks though

Masella: Because the answer then is simply “use cookies”

Meneus: OAUTH is a scheme for getting around it

Bruce: Masella: i was trying to be specific, and i don’t know exactly know what that means for everyone : i’m sorry

Meneus: Basically, if you have ID PROVIDER and DOMAIN, DOMAIN sends you to ID PROVIDER with a callback link that says “I want permission to log this person in and get their identity details”. ID PROVIDER then shows the use a page giving them the option to allow this – if they do, DOMAIN gets the auth details

Masella: Meneus: yes, it’s much like kerberos. the idea being that you and the server both trust the OAuth provider to properly authenticate people. but that’s also a bit more work, and requires a backend

Blaydes: Meneus: equivalently, can’t the site place a Disqus script tag on their site which sends a cookie and upon a request, grab user details?

Meneus: Nope. if it were that easy, any site could do that to you and hijack your account

Meneus: That’s where stuff like CORS comes in

Friebel: Do you think disqus whitelists certain URLs or uses something like ‘*’ for CORS requests

Meneus: It’s more complicated than that

Meneus: But also keep in mind that a script tag performs a GET

Meneus: And while you could add a script tag or frame on your site that accesses discus, your could wouldn’t be able to acecss any of hte details

Summer: I have an express server setup to listen to POST requests to /auth and i was able to get into the function that listens for those requests

Gollhofer: Hey real quick is there a way to have a text field pop up upon the user clicking an element?

Trosclair: The post request came from xhr.sendpostRequest

Meneus: Discus would see the request but your site wouldn’t

Cespedes: Like alert except it appears on the same file page and the user can enter information there

Myricks: Meneus: i don’t want to take up too much of your time, you all have been amazingly helpful

Lurvey: Meneus: i have on more question

Smolen: Meneus: what oauth give me that i can’t get with tokens inside cookies?

Masella: Vioz: the consuming site doesn’t know who you are with just using cookies

Masella: That’s the real point of oauth. when i use oauth to authenticate you via twitter, i know who you are because twitter tells me

Challen: Masella: otherwise, it’s easy for any site you visit to post to /some_generic_endpoint and pretend to be you

Belcher: How would u go about doing this, I have jquery set up to add and remove the text fields when the element is selected and unselected.

Vrba: Since the cookie is being p***ed with the identifying information

Wolfrom: Just confused about where to go with the logic

Meneus: Vioz: take a look at, say, http://plnkr.co for example. you can log into that site using your github credentials, don’t have to create an account with separate username and p***word

Reuter: Meneus: yeah, i understand that

Etling: I’ve setup oauth registration for a few sites now

Masella: Vioz: pretend to be you with who? if you give the website your twitter credentials, yes, they are now you