Popiolek: To make it a little more relevant, i visit google.com but i POST to disqus.com, i will be sending google cookies instead of disqus cookies?
Masella: No. you will send disqus cookies
Bochenski: Then i think i can do what disqus is doing
Masella: It’s based on the request you’re making, not the request you already made
Fede: I.e. offering cross domain authentications
Masella: Of course you can! how else would disqus do it?
Masella: If you couldn’t do it, how could disqus do it?
Masella: Also, why not just ask “how do i do what disqus does?” up front so i know that’s what you’re driving at?
Meneus: There are restrictions on sending cross-domain cookies like that to prevent XSS attacks though
Meneus: OAUTH is a scheme for getting around it
Bruce: Masella: i was trying to be specific, and i don’t know exactly know what that means for everyone : i’m sorry
Meneus: Basically, if you have ID PROVIDER and DOMAIN, DOMAIN sends you to ID PROVIDER with a callback link that says “I want permission to log this person in and get their identity details”. ID PROVIDER then shows the use a page giving them the option to allow this – if they do, DOMAIN gets the auth details
Masella: Meneus: yes, it’s much like kerberos. the idea being that you and the server both trust the OAuth provider to properly authenticate people. but that’s also a bit more work, and requires a backend
Blaydes: Meneus: equivalently, can’t the site place a Disqus script tag on their site which sends a cookie and upon a request, grab user details?
Meneus: Nope. if it were that easy, any site could do that to you and hijack your account
Meneus: That’s where stuff like CORS comes in
Friebel: Do you think disqus whitelists certain URLs or uses something like ‘*’ for CORS requests
Meneus: It’s more complicated than that
Meneus: But also keep in mind that a script tag performs a GET
Meneus: And while you could add a script tag or frame on your site that accesses discus, your could wouldn’t be able to acecss any of hte details
Summer: I have an express server setup to listen to POST requests to /auth and i was able to get into the function that listens for those requests
Gollhofer: Hey real quick is there a way to have a text field pop up upon the user clicking an element?
Trosclair: The post request came from xhr.sendpostRequest
Meneus: Discus would see the request but your site wouldn’t
Cespedes: Like alert except it appears on the same file page and the user can enter information there
Myricks: Meneus: i don’t want to take up too much of your time, you all have been amazingly helpful
Lurvey: Meneus: i have on more question
Smolen: Meneus: what oauth give me that i can’t get with tokens inside cookies?
Masella: Vioz: the consuming site doesn’t know who you are with just using cookies
Masella: That’s the real point of oauth. when i use oauth to authenticate you via twitter, i know who you are because twitter tells me
Challen: Masella: otherwise, it’s easy for any site you visit to post to /some_generic_endpoint and pretend to be you
Belcher: How would u go about doing this, I have jquery set up to add and remove the text fields when the element is selected and unselected.
Vrba: Since the cookie is being p***ed with the identifying information
Wolfrom: Just confused about where to go with the logic
Meneus: Vioz: take a look at, say, http://plnkr.co for example. you can log into that site using your github credentials, don’t have to create an account with separate username and p***word
Reuter: Meneus: yeah, i understand that
Etling: I’ve setup oauth registration for a few sites now
Masella: Vioz: pretend to be you with who? if you give the website your twitter credentials, yes, they are now you