Replace authentication with username and password with OAuth page/token?

[Keanu73]

It's pretty insecure, but OAuth does the trick. All you have to do really, is setup a page on a website that will ask for some stuff, then it redirects you to OAuth authentication, then login with that?

[nguyenquyhy]

I don't think Discord has such support 😄 .

[Keanu73]

At least hide the command from logs.

[BigJazzz]

@nguyenquyhy Discord does support OAuth. It's also been brought to our attention that some of our users aren't happy with supplying their credentials to the server, and would rather use the OAuth system.

[Keanu73]

@BigJazzz Yeah, it does to be honest.

[ilyvion]

I'm fairly certain that at this point, Discord's OAuth is only used with bots. I'd love to be proven wrong, though.

[Mohron]

It's possible though not probable. You can use discord to login to websites using OAuth but a web application is in place to make that possible. Either a portable web app that server could set up on their own or a centralized application would be needed to really change the login mechanics... And this is a java application not a web application so don't get your hopes up!

[ilyvion]

Well, people have made all kinds of "web servers" in Minecraft before, like livemaps and various web control panels for plugins. The hardest part, then, is really just that people would have to open ports on their servers to allow the OAuth responses to get through to the server.

[ilyvion]

which would require a second language with something like Ruby on Rails

Require? I take it you are not fully aware of what Java is capable of?

[nguyenquyhy]

Yes OAuth2 in Discord is possible. It requires 2 things:

• The plugin to start a webserver for a return page (this is already possible in many plugins/mods such as dynmap).
• The server owner to make sure the page is assessable by all its users and proper redirect URI(s) settings for their Discord application, which requires documentation and instructions.

Both are not too hard but would take quite some time. I don't have a lot of time at hand right now, so my temporary solution was to show a warning message when you do /discord login until I have more time or until someone submits a PR :).

[Mohron]

This was my point, very possible, but not a priority as it's a very time consuming change.

[BigJazzz]

@nguyenquyhy So when the login command receives credentials, what happens to them? How are they transmitted? Are they stored anywhere other than our chat log (if it's been enabled)?

I understand it's a time-consuming change, but I would suggest it gets made a priority to avoid someone trying to accuse you of stealing their credentials. That's the whole reason OAuth exists.

For our community, we'd have no problem setting up a webpage and what not, if the plugin was configured to at least require manual work on our end. I understand others may not be in a position where they can do that, but that's a suggestion.

[Keanu73]

And 2 years on.. still without OAuth token support? lol

[Mohron]

Because this project was abandoned by the owner.

[Keanu73]

Oh well. It seems time has made its' mark.