Anyone using the Disqus OAuth2 authorize API?

Since posting on the Disqus disqus forum seems to be a waste of time, maybe someone here can help.

I’m trying to use the OAuth2 flow to connect a Disqus user to my app’s account system so I can monitor their activity (posts/comments/etc). I’m using Meteor for my app. I’m calling the OAuth2 authorize endpoint from my server code and passing the resulting HTML back to the client for rendering. This all works fine. But I’m seeing 2 problems on the client side. First, the HTML code returned from Disqus seems to be designed in a full page and the username/password fields extend across the entire window. I was expecting a dialog/modal popup like the one that Disqus provides when logging into a forum. I tried wrapping the HTML inside of a Boostrap3 modal window which mostly works except the username and password fields extend off the right side of the dialog box.

Ignoring the ugly UI the second problem is that when the user clicks on the submit link Disqus puts up and error page titled ‘CSRF verification failed (403) - DISQUS’. I’m guessing this may be because the OAuth2 call was made from the server and the submit is coming from the client. If I copy the OAUTH2 url directly into the browser everything works fine. But I don’t want to expose my API key and resulting code on the client side since that seems like a security risk.

All I really want to do is verify that the user is trying to connect their own account to my app (and not some other user). I’m not posting with their account so I don’t need an access token (I’m calling user/details which just takes the API-key). So I’ve thought about creating a forum for my app and using the login endpoint to verify the username/password combo. But that dialog doesn’t explain the scopes I’m asking for.

I’ve also considered building my own dialog box to prompt for the username/password, sending those back to the server and have the server “fake” the submit back to Disqus. But that is not a maintainable solution since Disqus might change the expected fields at any time. And it is ugly as sin.

Anyone have any suggestions? I didn’t post any code since I don’t believe it is a coding problem (and the code is a bit convoluted). But if anyone thinks it will help you help me, I’ll be happy to post it.

I tried to write an Oauth handler for Disqus, but found the documentation insufficient and the process for getting an API key poorly explained.

However, you seem to have the API key at least, so you may find the following useful - it’s a hackable Meteor Oauth2 handler. As it stands it’s written for imgur, but it should be straightforward to implement for Disqus. Given the poor documentation, you may find it necessary to use Postman with your API key to get the content of returned objects bottomed out.

Thanks @robfallows, good to know it isn’t just me. Not only is the DIsqus documentation inadequate but they have no other technical help other than to say to look at the FAQ and the Knowledge Base. I found a NPM that does OAuth for Uber, so between that code and yours and maybe one of the official Meteor account-oauth handlers I going to try to get Disqus to work. I’ll followup here if I get it to work.

My basic problem was that I was using ‘request’ with forwarding to fetch the authentication text and displaying that. What is required is to not allow the forward and pass the URL to the client to render in a window. This solves the CSRF issue.

I’ve updated the disqus NPM at https://www.npmjs.com/package/disqus to include OAuth authentication methods, so it is now easy to get this working. It’s my first NPM so if you have trouble with it, please open an issue at GitHub.