SSO Integration problem - threadDetails.json ?

[Andy Feltham]

I am loosing my hair over SSO. I am going through the checklist -> http://help.disqus.com/customer/portal/articles/1148640-sso-debug-checklist

Initial Setup

1) Done

2) Check - "Single Sign-On has been configured under the domain 'XYZ'."

3) Done.

4) Not on Wordpress, nothing to do.

User Not Recognised...

1) I've been trying for a couple of weeks, still no joy. I've even contacted support, but all they suggested doing was posting on here. :( 

2) I've added www.mydomain.com and mydomain.com to this list. All of my testing is on www.mydomain.com

3) Yup, took me a while to find this setting but this is also enabled.

4) This is the bit i can't verify. I've looked at the threadDetails.json request and can't see any reference to the X-Disqus-Remote-Auth and X-Disqus-Publisher-API-Key mentioned. 

5) This i also can't understand. I've pasted in my SSO payload. The tool shows 'We were able to read your message', 'Your message signature matches' and 'Your message is within the expiration time', however then goes on to say "If you were to correct the stated errors, we would expect your input to match the following:". What i can't understand is what errors its suggesting i should correct?!!!? There are none on the page. Even stranger still, the line it suggests my SSO payload should match with, actually does match with my SSO payload i provide!?

So, two questions really... 

a) how do i get the X-Disqus* header parameters?

b) how can i find out what error messages the SSO debug tool thinks i have?

Thanks in advance.

Andy Feltham. 

[Burak Yiğit Kaya]

Andy,

Looks like `disqus_config` fails to set your payload information. Please provide the link to your page for us to investigate further.

--
You received this message because you are subscribed to the Google Groups "Disqus Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to disqus-dev+...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
BYK

[Andy Feltham]

Hey there. 

Firstly thanks for taking the time to reply, and so quickly too!

A sample page is here -> http://www.divebinder.com/#site/219 with the script file containing the function which loads Disqus being here -> http://www.divebinder.com/pages/js/site.js ( search for loadComments );

FWIW, it seems to me, unless i've missed something that for an AJAX / Javascript client you have to have your Secret and Private key mentioned in a .js file somewhere, potentially open. Is that right? Is that secure?

Thanks Andy. 

[Burak Yiğit Kaya]

Andy,

Your problem is most probably the "this.page = {};" line. You try to override the `page` object we have provided but since we hold an internal reference to it, we don't get your new object, thus does not pick up your SSO payload. tl;dr remove that line and you should be fine.

On another note, the way you use SSO is completely insecure. Since you exposed your secret key, anyone can sign any payload and fabricate users on your site, and may even steal people's identities. I reset your keys to prevent any damage. Please, never, ever expose your API secret. Do your signing on the server.

Best,

[Andy Feltham]

Hello, 

A big thank you to you for helping out. I've now resolved my problem and even made my code more secure in the process! I did think that approach didn't look right but was just trying to get it working to start with. As you say, the problem was the 'this.page = {}'. I had added that line as a test because previously the function failed on the subsequent line saying something along the lines of 'this.page not found / recognised'. I don't know why its now working, but it is! Yay! 

Having implemented this, a few other comments from me if i may..

1) The first time a user is registered the profile pic seems to be ignored. If i refresh the page the avatar is present but the first time always seems to show the default image. 

2) Thank you for resetting the keys.

3) Given that you are able to reset keys i presume you have some link with Disqus. The support on the forum has been great, but the email support almost seemed rude. The reply that consistently came back was "As for the SSO issues, we recommend reaching out to the Disqus Developers group here: http://groups.google.com/group/disqus-dev" and this seemed to be a case of fobbing me off to get someone else to look at the problem. Now knowing that there are admins working on this forum i have no problem with this reply as i noq know there are people who can help however i was wondering if wording it slightly differently may help. For example "Regarding your technical issues we recommend posting your problem on the Disqus Developers group here :<link>. This is maintained by Disqus admins and will allow other users who share similar problems to benefit from the solution.' I think had that been the first reply i got i would have jumped on the forum straight away - instead i lost a week or so bouncing emails back and forth. 

These are just comments, please use or ignore as needed. At the end of the day i'm really happy that i have my issue now fixed and am very grateful for the support. Its a great little tool too and i'm really looking forward to having it on my site. 

Thanks again, Andy. 

[Burak Yiğit Kaya]

Hi Andy,

Glad you've get it working! :) I can't speculate about why `this.page` was throwing an error before without seeing that particular code piece so I'll pass on why it was not working before :)

1) The first time a user is registered the profile pic seems to be ignored. If i refresh the page the avatar is present but the first time always seems to show the default image.

I don't have enough knowledge about this particular issue. It looks like a caching issue from where I'm standing but I'll let other people on the team how simply has more knowledge about our SSO backend answer this one.

2) Thank you for resetting the keys.

You're welcome :)

3) Given that you are able to reset keys i presume you have some link with Disqus.

I do work at/for Disqus, yes.
 

The support on the forum has been great, but the email support almost seemed rude. The reply that consistently came back was "As for the SSO issues, we recommend reaching out to the Disqus Developers group here: http://groups.google.com/group/disqus-dev" and this seemed to be a case of fobbing me off to get someone else to look at the problem.

To be completely honest, SSO implementation issues don't really fall into the responsibility zone of our support staff so yes, they are sending you to folks who simply are more experienced on those particular issues but "fobbing off" is kind of a strong word for that. I'd prefer forward, redirect or refer :)

Now knowing that there are admins working on this forum i have no problem with this reply as i noq know there are people who can help however i was wondering if wording it slightly differently may help. For example "Regarding your technical issues we recommend posting your problem on the Disqus Developers group here :<link>. This is maintained by Disqus admins and will allow other users who share similar problems to benefit from the solution.' I think had that been the first reply i got i would have jumped on the forum straight away - instead i lost a week or so bouncing emails back and forth.

Thank you very much for taking the extra mile to actually come up with an improvement to an obstacle you have experienced and sharing with us. We'll indeed take this into account.

Have a great day!

[Burak Yiğit Kaya]

Andy,

On Mon, Feb 10, 2014 at 3:49 PM, Burak Yiğit Kaya <b...@disqus.com> wrote:

1) The first time a user is registered the profile pic seems to be ignored. If i refresh the page the avatar is present but the first time always seems to show the default image.

I don't have enough knowledge about this particular issue. It looks like a caching issue from where I'm standing but I'll let other people on the team how simply has more knowledge about our SSO backend answer this one.

I got more info about this. We defer the fetching of the avatar to our systems to provide a very fast session response. That is the reason for this behavior.

Best,

--
BYK

[Andy Feltham]

Hey, 

Thanks for the confirmation about the avatar. That makes sense and good to know!

Andy. 

[Christopher Moyer]

Do you have any idea why "this.page" wasn't defined? I'm having that problem now on my system. I also found out that disqus_config is passed a function, and if I don't return that function disqus doesn't even load.

[Burak Yiğit Kaya]

Christopher,

Do you do `this.page = { ... }` anywhere in your function? If you do so, that's probably the reason since you change the reference of the object but we still hold onto our internal reference.

--

You received this message because you are subscribed to the Google Groups "Disqus Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to disqus-dev+...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

BYK

[Chris Moyer]

I use to but I pulled that out and it still doesn't work.

--
You received this message because you are subscribed to a topic in the Google Groups "Disqus Developers" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/disqus-dev/V2bzwYcr8es/unsubscribe.
To unsubscribe from this group and all its topics, send an email to disqus-dev+...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

Chris Moyer
Vice President of Technology
Newstex, LLC
Please log all support request to 

http://support.newstex.com

[Burak Yiğit Kaya]

can you link to the page?

[Chris Moyer]

Sure, here it is in our development environment: http://scholar.dev.acindex.com/view/14818a80f930953012d/14af442c0c55f32014d

[Burak Yiğit Kaya]

It works for me. Also you don't need this check:

if(this.page !== undefined)

[Chris Moyer]

That's very odd, it's still not working for me and when I do remove that line I get this:

 Uncaught TypeError: Cannot set property 'remote_auth_s3' of undefined14af9d6dbb3220c014d:711 (anonymous function)14af9d6dbb3220c014d:729 (anonymous function)

[Burak Yiğit Kaya]

May be it only happens to accounts logged in via SSO. Can you e-mail me a sample account so that I can try it out?

[Chris Moyer]

If you log in with Google on that page any Gmail account will work.

[Burak Yiğit Kaya]

Something on your page is calling `disqus_config` without the proper context and then setting it to undefined for some reason. I don't know what is doing it but it is definitely not us.

[Chris Moyer]

Aha, I found what was going on! By switching this it worked:

- var disqus_config = function (fnc) {

+ function disqus_config(fnc) {

Not sure exactly what was going on there, but now it works. Thanks for the help!

[Burak Yiğit Kaya]

No problem. Btw not sure where you got it but you definitely don't need the `fnc` parameter and return it.