I am using passport-facebook to authenticate a user via facebook. I previously had the scope [ 'public_profile', 'email' ], but recently added user_friends.
Now, all the existing users run into an interesting issue... they are forced to grant access to user_friends, unchecking it does not let them continue logging in.
Basically, if you're a new user, you can edit the permissions, public_profile being required. You can decline email/user_friends, continue, and never be asked again unless you use auth-type: "rerequest".
However, if an existing user signs in, facebook checks if all of the items in the scope have been requested (in this case user_friends has not). It then displays the dialog box with the friends permission, but hides the other 2, since they've already been asked. (see attached image).
Facebook requires the public_profile to be checked initially, but because it was already granted, it ends up requiring the user_friends permission for the existing users. Seems like this is a bug on facebook's side...
Here's a screenshot:
Related
I've been trying for a while now to find any information regarding the following issue with no success.
I have a player which is already logged in to Facebook and he was never prompted to give friends list permission, is it possible to prompt that request for permission by itself without the entire login sequence to an already logged in user.
I.E. the user logs in to Facebook at a certain point in the application and on a different point I recognise that he is logged in and then I ask for the friends list permission as a stand alone request.
You can ask users for additional permissions at any time, by simply calling the login dialog again.
It will only ask the user for permissions they did not already grant in the past.
And no, if the user declines that specific permission, it will not log them out.
Is there a way to mark a scope such as publish_stream as required in Facebook OAuth2?
Currently a user can skip the permission and that results in a non working app in my example.
No you cant do that, in fact facebook asks to check for the extended permissions before performing any related action.
You can any time check for the permissions a user has granted with the API- /me/permissions. Check out- Graph API Explorer
There's no way to "require" extended permissions such as publish_stream as far as I know. Facebook has some docs about how to handle those cases where the user only gave some permissions:
https://developers.facebook.com/docs/facebook-login/permissions/#handling
Quote:
If a person declines the login dialog have a clear and upfront
explanation about why you are requesting each permission. Then let
them click or tap to opt back in to the permission request dialog. Do
not immediately redirect them into a permission request dialog without
an explanation.
For cases where someone has granted some permissions but not others,
only prompt for missing permissions at the point at which they are
needed. For example, if your app contains functionality which creates
an event on behalf of a person, only prompt for create_event
permission whenever they choose to add the event to Facebook.
Unless the permissions you are requesting in the login dialog are
critical to the functionality of your app and a feature doesn't work
without them, let people continue using your app without the
permissions.
I found the article very nice to introduction set extended permission required
(https://developers.facebook.com/docs/beta/authentication/#referrals)
but I go to Auth Dialog setting, the field required permission replaced users & friend permission. I can't see field required permission. please help me. thanks
You can set extended permissions required via your call to the show the login/authorize screen.
For Javascript SDK, it's the second parameter of FB.login(callback,scope).
For the Login social plugin it's the scope attribute.
For PHP SDK it will be
$params = array(
scope => 'read_stream, friends_likes',
redirect_uri => 'https://www.myapp.com/post_login_page'
);
$loginUrl = $facebook->getLoginUrl($params);
Per http://developers.facebook.com/docs/reference/api/permissions/ the extended permissions are:
read_friendlists Provides access to any friend lists the user created. All user's friends are provided as part of basic data, this extended permission grants access to the lists of friends a user has created, and should only be requested if your application utilizes lists of friends.
read_insights Provides read access to the Insights data for pages, applications, and domains the user owns.
read_mailbox Provides the ability to read from a user's Facebook Inbox.
read_requests Provides read access to the user's friend requests
read_stream Provides access to all the posts in the user's News Feed and enables your application to perform searches against the user's News Feed
xmpp_login Provides applications that integrate with Facebook Chat the ability to log in users.
ads_management Provides the ability to manage ads and call the Facebook Ads API on behalf of a user.
create_event Enables your application to create and modify events on the user's behalf
manage_friendlists Enables your app to create and edit the user's friend lists.
manage_notifications Enables your app to read notifications and mark them as read. This permission will be required to all access to notifications after October 22, 2011.
offline_access Enables your app to perform authorized requests on behalf of the user at any time. By default, most access tokens expire after a short time period to ensure applications only make requests on behalf of the user when the are actively using the application. This permission makes the access token returned by our OAuth endpoint long-lived.
publish_checkins Enables your app to perform checkins on behalf of the user.
publish_stream Enables your app to post content, comments, and likes to a user's stream and to the streams of the user's friends. With this permission, you can publish content to a user's feed at any time, without requiring offline_access. However, please note that Facebook recommends a user-initiated sharing model.
rsvp_event Enables your application to RSVP to events on the user's behalf
sms Enables your application to send messages to the user and respond to messages from the user via text message
publish_actions Enables your application to publish user scores and achievements.
I don't think you can require extended permissions through that dialog, or by using the SDK as suggested above.
In previous versions of the PHP SDK the oauth dialog would return an error if the user did not approve all requested permissions -- this is no longer the case. As long as the user approves the basic permissions, any of the requested extended permissions can be unselected and the user is redirected without a warning or error. I hope that I'm wrong, but from reading the documentation and my own testing, I don't think I am.
From the same page of the documentation that you reference: https://developers.facebook.com/docs/beta/authentication/
"The updated Auth Dialog will display a set of user and friends permissions on the first dialog, and other extended permissions (if any) on a second dialog screen. User and friends permissions are non-revocable, while extended permissions can be revoked by clicking on the "X" next to each permission on the second dialog screen. Your app must be ready to handle each scenario (permissions granted, and revoked) properly."
IOW, if your app requires a specific permission your code must ensure that the user grants it.
I would like a new user of my canvas app to grant the "friends_online_presence" permission.
On the FB manual page, this permission is listed among the "User and friends Permissions" which should appear on the first page of the registration dialogue and should be non-revocable.
However, Facebook does the opposite - it redirects the user to the second page of the dialogue, where this permission is optional for the user.
If I try to make registration with other permissions from the list (i.e. friends_likes), it works as supposed - the permission is requested as non-revocable on the first screen.
Am I doing something wrong or this is actually a bug in their documentation?
Thanks!
Probably a bug in their documentation. You can however, check to see which permissions the user accepted. If you find they allowed your app, but not the friends permissions, you can give the user a specific screen telling them they can't use your app.
When the user accesses my apps for the first time, I ask for a couple of permissions (user_checkins, publish_stream, offline_access). After allowing all the permissions the user goes to privacy settings and removes one of the first 2 settings (not offline_access). Facebook doesn't ask him to allow back the removed permissions even if the user logs out and comes back to my applications.
The problem appeared when I started asking for offline access permissions, since the access token is not refreshed the token still contains the permission.
How can I request for a new token for the user with the right permissions?
User will have to delete your application from his approve list and then access your app again. It will ask him to approve new permissions
You can query the /me/permissions graph call (specifying the users access token) and check to see if the permissions you need are there. If they are not, you can prompt them to re-authenticate with your application like you originally did and it will re-prompt them for those permissions.