I need to be certain that email addresses returned from the Facebook graph API have been verified by the owner of the email address. The same question was asked here: Is it possible to check if an email is confirmed on Facebook? where the conclusion seems to be: yes, they are verified. However, I cannot find this anywhere in the API documentation. Can someone point me in the direction of official documentation around this?
You'll have to do the verification yourself:
If you use an email address as the unique credential which identifies each account, your app should verify that the email address associated with the person's Facebook account (and obtained during Facebook Login) is valid. You can do this by creating code in your app to send a verification email to the address obtained after Facebook Login (you will probably need to have this step as part of your regular login system anyway).
https://developers.facebook.com/docs/facebook-login/multiple-providers#postfb1
It's in the Graph API User, verified field.
https://developers.facebook.com/docs/graph-api/reference/user
We are developing a mobile application that communicates with a server, which sends a generated email on behalf of the app user to a facebook user.
The user sending the email is signed on to Facebook.
The email is sent to one or multiple FB friends/connection using their id (example: username#facebook.com).
The sender email can be from any domain and that's where the problem lies. Sending directly from gmail for example, works fine. But because our server is sending on behalf of the user, FB thinks its a spoofed email.
Sending the email from the app is not an option for us at this time.
Is there any way or service that would allow us to do this without having our emails marked as spam?
Facebook is transitioning away from the ability to send emails via an
API call on Mar. 1st. To compensate, they allow apps to now ask for a
user's email address directly.
If you set the email domain in your app's settings, then asking for
the email extended permission gives you the users email address
instead the ability to send an email via the API.
As of Mar. 1, the API will stop working and you are left alone to
figure out your own email solution. This goes for regular
notifications, both user to user and app to user, as well
From here
And:
Please note: We are in the process of deprecating the REST API,
and will not be adding support for this in Graph API.
Developers should directly send email to users once they are granted permission.
From here
However, I would suggest rather sending private message than emails, as described here
For some users in our application, the email field returns NULL even if the user has granted the email access to the app.
When we check the scope parameter and the validity of the user Token thanks to the Debugger tool, everything is ok. The permission email has been accepted.
But when we ask the Graph API for the email of the user with the valid user token, it does not appear at all.
Is there a way a user could prevent an app from getting his email even if he granted the email permission?
Thanks
I had the same problem and I think I found out why:
If the user has an unconfirmed email in Facebook (i.e. Facebook sent him a validation mail to the user's email address but he didn't respond) Facebook WILL NOT pass that email to your app even if he gave you the email permissions.
So what I did is use his or her Facebook email if the user has a user name (i.e. userName#facebook.com).
I have the same issue. It is working fine on my localhost, i am using php SDK for facebook login and when i submit my request it's return all the fields like email,name etc of the user but on server somehow it is not working.It will not returns user email.
I have done lots of R&D on that and i have the solution for the issue. :)
$profile = $facebook->api('/me?fields=email,first_name,last_name');
if you are using php-sdk just passes fields like this it returns the email,first_name etc.
Hopes it works for you all.
thanks.
All you need to know:
1) Link 1
Some possible reasons:
No Email address on account
No confirmed email address on account
No verified email address on account
User entered a security checkpoint which required them to reconfirm their email address and they have not yet done so
Users's email address is unreachable
You also need the 'email' extended permission, even for users who have
a valid, confirmed, reachable email address on file.
2) Link 2
Note, even if you request the email permission it is not guaranteed
you will get an email address. For example, if someone signed up for
Facebook with a phone number instead of an email address, the email
field may be empty.
Facebook does not send the email if the user has logged in with their phone number.
View the comments on https://github.com/mkdynamic/omniauth-facebook/issues/61 for more info.
You must give email permission along with the auth button.
authButton.setReadPermissions(Arrays.asList("email"));
In some cases Facebook may not have a valid email address for a user:
email: string containing a valid RFC822 email address - note: this
field may be null if no email address is available for the user
see https://developers.facebook.com/docs/reference/api/user/
#ozba solution is not applicable because facebook now shows an alert message when user has an unconfirmed email address. So, if you're having this problem it's more liking that the user had signed up using phone number.
Some possible reasons:
No Email address on account (only phone number)
No confirmed email address on account
User entered a security checkpoint which required them to reconfirm their email address and they have not yet done so users's email address is unreachable.
Check: https://developers.facebook.com/bugs/298946933534016
According to the documentation:
Note, even if you request the email permission it is not guaranteed you will get an email address. For example, if someone signed up for Facebook with a phone number instead of an email address, the email field may be empty.
That would explain why some users have a null email!
Facebook will provide you a user's email id if and only that user has a confirmed email id associated with his account. If your app can retrieve email id for some users, problem may not with the Developer.
I have read previous responses but though some of them true like if the user has not email confirmed but a mobile phone number, many times this error happens for ignoring how to request the information using FB api graph. Let's say your login was successfully done, and you now have an access token and user id an so on but still, cannot see email and other fields you are interested in. Go ahead using this request after confirming login status as connected:
FB.api(
'/me',
'GET',
{"fields":"id,name,birthday,email,about,cover"},
function(response) {
// Insert your code here
}
);
depends on permissions you requested you now will be able to catch further information according to your needs.
you can try this it will work
String email = user.getProperty("email").toString();
String safeEmail = user.asMap().get("email").toString();
You need one more permission from facebook.
include (about_me) permission to the facebook dev setting and also in your app or code..
Just you need to add more permissions to whatever data you want from Facebook object about your user.
Facebook API
$loginUrl = $facebook->getLoginUrl(
array(
'req_perms' => 'email'
)
);
At http://docs.developer.intuit.com/0025_Intuit_Anywhere/0010_Getting_Started/0030_Integrate_your_app/0030_Signing_Into_and_out_of_Intuit_From_Within_Your_App/Sign-in/Implement_SSO_and_OpenID_in_Your_App
it says the following:
"Intuit does not verify the user email address associated with the user's OpenID account. Therefore, do not use the email address for authentication and do not link user accounts based on email address."
What does it mean "do not use the email address for authentication"? I mean, isn't the user already authenticated, through OpenId.
Also it says that the user email address is not verified. But what if my app needs to send an email to a user that has logged through OpenId. How can I be sure the user will actually get the email? What is the recommended pattern to handle that?
Thanks
EDIT: also, can I use the email to uniquely identify a user, and if not, what should I use to uniquely identify a user from the open id response?
EDIT 2: also, is the developer charged when a user logs in with open id and the 36 day trial expires? Or is it just when using the "Connect to quickbooks" that the developer is charged, in which case, open id authentication itself is free?
Clement,
It means when a customer goes to the Intuit Appcenter and creates an account the email is not verified immediately, so you cannot single sign on a user based only on their email address if they already have an account in your system. You need to prompt them to login one time to map the two accounts.
If they are completely new then you can auto provision an account on your side and single sign them in, if you require the customer to verify their email address then you can send them a verification email.
thanks
Jarred
Update
This was reported to Facebook via https://www.facebook.com/whitehat/report/ on Dec 16th 2013 and Facebook responded on Dec 17th that the bug has long since been fixed.
I have retested this with my Facebook account (that I still haven't verified the email address on) and when using the Grap API Explorer tool it is not possible to get the email address of this account using the Graph API or using a FQL query.
Conclusion: The email address you get from Facebook using the Graph API or a FQL query is a verified email. If an account hasn't verified it's email yet it's not possible to get it.
Original Post
I am making a web app with SSO that is offering the user to sign in with either Google or Facebook. I would like users who have both types of accounts to show up as the same user in my system regardless of which identity they log in with. To achieve this I'm thinking of using the email address as the identifier to know if I should create a new account or if the user already exists.
To not introduce any security problems I must know that the email address is verified and actually belongs to the user. For Google the userinfo API can tell me if an email is verified or not, so there's no problem here. But I can not find anything like this in the Facebook Graph API.
Is it possible to know if an email address is confirmed on Facebook?
I know that there is a verified field, but that only tells if the account is verified and not the email address.
At first it looked like you are only able to use the Graph API for accounts where the email address has been confirmed. If the address wasn't confirmed I just got an error telling me that I had to confirm the email address first before being able to sign in to any third party site.
However this does not seem to be true for all accounts. In some cases it's possible to get accesses to all parts of Facebook even if you don't have a confirmed email address. One example of this is when you sign up with a #myopera.com mail address.
When you sign up to Facebook with a #myopera.com email address you get a message that your account has been temporarily locked as soon as you submit the sign up form. To continue you need to provide your phone number to verify your account and to "keep Facebook safe and free from spam" (sorry for the Swedish in the screenshot, this was before I could get into Facebook and change language to English):
When you provide your phone number you are logged in and Facebook doesn't nag you any further about that you have to verify your email address.
The only place where you can see that your email address is not yet verified is on the settings page:
The Mobile Settings that is usually not accessible before you have verified your email address is available and lists the phone number entered during sign up:
In addition to this it is also possible to log in to third party sites with an unconfirmed email address:
When I connect to the graph api with this user I can get the unconfirmed email address and the verified field returns true as expected since I have verified the account by adding a phone number. So obviously I can't trust that the email address I get from Facebook really belongs to the user that has the Facebook account.
Is there any other way of knowing if the email address is verified or not or do I have to verify it myself if I want to use it for identifying the user?
I was looking for an official Facebook statement regarding this issue and finally i found this: https://developers.facebook.com/docs/facebook-login/multiple-providers#postfb1, which clearly says that developer should not rely on the fact that email address is verified.
I've never used it, but you may be able to check with a FQL query of the user.email_hashes: http://developers.facebook.com/docs/reference/fql/user