I'm using Facebook as a social identity provider, in order to authenticate users of my system. I don't want anything else from Facebook, other than the identity of the user (e.g. the user's Facebook id).
I'm making a passive request to https://www.facebook.com/dialog/oauth?client_id={app-id}&redirect_uri={redirect-uri}&scope=public_profile - more details here: https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow (see section: invoking the login dialog).
There are several scope options, listed here: https://developers.facebook.com/docs/facebook-login/permissions#reference-public_profile
My problem is that there doesn't seem to be a scope that limits the access to just the user's Facebook id. This means that when the user first federates, Facebook presents them with a worrying message about all the additional info my app will have access to (see screenshot below). This doesn't work for me, I just need the user's Facebook id - I don't want to ask the user for all this additional stuff. Is it possible to restrict the scope down to just the user's id?
If you ask an user to authenticate your app, the minimum that your app always asks for is the public_profile. You can't get any information fewer than that.
You can read more on the permission here: https://developers.facebook.com/docs/facebook-login/permissions
Related
I have an app, and I can write to user's walls with it, having requested the publish_stream permission when they sign in.
I've also created a page and a group, and would like my app to be able to write to those. (Specifically, I want my back-end server to post some updates to those periodically, without a user being involved.) The ability to do this seems to be implied by the descriptions of the /feed parts of those here https://developers.facebook.com/docs/reference/api/page/ and here https://developers.facebook.com/docs/reference/api/group/ . However, I can't seem to find a way to authorize the app to write to these pages. Those docs say it can be done if you have publish_streams and manage_pages. OK, but how do I grant those to my app?
In the user case, you request those permissions when the user signs in via the OAuth flow. However, the page and the group never sign-in, so there's no way for them to grant the app permission. I looked around the settings pages for the group and the page, and couldn't find anything that will let me add the app. So how do I give the app the required permissions to post to the group and the page?
Found it!
http://developers.facebook.com/docs/reference/api/application/
http://developers.facebook.com/docs/howtos/login/login-as-page/
"Application Page Access Tokens
To perform the following operations as an Application Page, and not the current user, you must use the Application's Page access token, not the user access token commonly used for modifying Graph API objects nor the Application access token. This access token can be retrieved by issuing an HTTP GET to /USER_ID/accounts with the manage_pages permission. This will return a list of Pages (including Application profile pages) to which the user has administrative access, along with an access_token for each Page.
Note: Applications that are configured as Native/Desktop apps will not be able to make API calls that require an application access_token."
So:
I went to http://developers.facebook.com/tools/explorer/ and, as me, created an access token with "manage_pages" permission.
I then went to https://graph.facebook.com/$myname/accounts?access_token=$accesstoken
and it gave me a list pages and apps that I had given permission to. I copied the access_token from the relevant page, and pasted that into my code, so that the server-side create event code always used that access token.
And it worked!
I need to implement a system to retrieve information from a user of facebook independently of the user being logged into facebook.
I have user access token in my database but every time the user needs to login on facebook.
My question is how the authentication of Hootsuite (hootsuite.com) works because there it is not necessary.Just logging in the Hootsuite is possible to recover all data from facebook.
What you are talking about (If I understand you correctly) is a breech of privacy in the eyes of Facebook. A user has to be interacting with an application in order for it to retrieve information about the user.
Facebook's API access works by means of an access_token that is specific to the user and the application that requested it. access_token's have a limited time frame that they are valid, after that the application would have to request a new one or request an extension on that token. In either case, the user would have to be interacting with the application, and therefore logged into Facebook, when such a request is made.
I'm unfamiliar with the website you referred to but it is not in the scope of this site to reverse engineer some one else's application.
I found the article very nice to introduction set extended permission required
(https://developers.facebook.com/docs/beta/authentication/#referrals)
but I go to Auth Dialog setting, the field required permission replaced users & friend permission. I can't see field required permission. please help me. thanks
You can set extended permissions required via your call to the show the login/authorize screen.
For Javascript SDK, it's the second parameter of FB.login(callback,scope).
For the Login social plugin it's the scope attribute.
For PHP SDK it will be
$params = array(
scope => 'read_stream, friends_likes',
redirect_uri => 'https://www.myapp.com/post_login_page'
);
$loginUrl = $facebook->getLoginUrl($params);
Per http://developers.facebook.com/docs/reference/api/permissions/ the extended permissions are:
read_friendlists Provides access to any friend lists the user created. All user's friends are provided as part of basic data, this extended permission grants access to the lists of friends a user has created, and should only be requested if your application utilizes lists of friends.
read_insights Provides read access to the Insights data for pages, applications, and domains the user owns.
read_mailbox Provides the ability to read from a user's Facebook Inbox.
read_requests Provides read access to the user's friend requests
read_stream Provides access to all the posts in the user's News Feed and enables your application to perform searches against the user's News Feed
xmpp_login Provides applications that integrate with Facebook Chat the ability to log in users.
ads_management Provides the ability to manage ads and call the Facebook Ads API on behalf of a user.
create_event Enables your application to create and modify events on the user's behalf
manage_friendlists Enables your app to create and edit the user's friend lists.
manage_notifications Enables your app to read notifications and mark them as read. This permission will be required to all access to notifications after October 22, 2011.
offline_access Enables your app to perform authorized requests on behalf of the user at any time. By default, most access tokens expire after a short time period to ensure applications only make requests on behalf of the user when the are actively using the application. This permission makes the access token returned by our OAuth endpoint long-lived.
publish_checkins Enables your app to perform checkins on behalf of the user.
publish_stream Enables your app to post content, comments, and likes to a user's stream and to the streams of the user's friends. With this permission, you can publish content to a user's feed at any time, without requiring offline_access. However, please note that Facebook recommends a user-initiated sharing model.
rsvp_event Enables your application to RSVP to events on the user's behalf
sms Enables your application to send messages to the user and respond to messages from the user via text message
publish_actions Enables your application to publish user scores and achievements.
I don't think you can require extended permissions through that dialog, or by using the SDK as suggested above.
In previous versions of the PHP SDK the oauth dialog would return an error if the user did not approve all requested permissions -- this is no longer the case. As long as the user approves the basic permissions, any of the requested extended permissions can be unselected and the user is redirected without a warning or error. I hope that I'm wrong, but from reading the documentation and my own testing, I don't think I am.
From the same page of the documentation that you reference: https://developers.facebook.com/docs/beta/authentication/
"The updated Auth Dialog will display a set of user and friends permissions on the first dialog, and other extended permissions (if any) on a second dialog screen. User and friends permissions are non-revocable, while extended permissions can be revoked by clicking on the "X" next to each permission on the second dialog screen. Your app must be ready to handle each scenario (permissions granted, and revoked) properly."
IOW, if your app requires a specific permission your code must ensure that the user grants it.
On a rich media banner, which obviously would appear on several different sites, is it possible to access a user's facebook information such as their photos?
The user would need to grant permission to the banner -- not sure if that's possible though.
There is some Facebook information that is publicly accessible to "anonymous" applications (i.e. unauthenticated/unauthorized). These include but are not limited to name and profile picture. It really depends on how public a user's profile is. However, I'm not sure you can get whatever the currently viewing user's info is. That's typically gotten by making an API request to /me which requires being authenticated.
However, if you're authenticated by the user, you can use whatever information they've granted you access to (specified by you during the OAuth process).
I'm using facebook connect to allow the visitors login to a website using their facebook account.
The only information needed is that the user id and name.
However the facebook connect dialog states that my app will access all the users friends, photos...
How can I configure my facebook application to not request those data?
The quick answer, you can't. The dialog states that you have the ability to access the user's information. Whether you access it or not is up to you, but the ability to is always there. There is a base level of access granted to all apps. You can prompt for extended permissions, but you can't customize the base level.
This may change going forward with OpenGraph. There are still features Facebook is adding, and some existing, undocumented features.