Facebook UI and API show different permissions granted, can't re-request - facebook

I have an app that lets you schedule posts to Facebook for your Facebook Pages, among other things.
For some reason late last week, the API started showing users of my app having different permissions than the Facebook UI (Settings->Apps->(my app)). The app was working fine for months, and suddenly stopped because of this permission change.
The users did not make any changes to the App's permissions, or their global security settings. Facebook still shows the correct permissions for the App for the logged in user in their App settings [1]. When logged into my site, however, the API request shows none of the extended_permissions [2]. The users have not changed their FB password. I have confirmed the app is requesting the correct user via the API.
Things I've tried:
When I force a re-request of the extended_permissions (manage_pages, publish_stream, read_insights), it is simply ignored.
When I add a new permission (manage_ads), ONLY that permission is requested in the UI.
When the user removes the app in Facebook and re-installs, only the new permission (manage_ads) is requested.
If I remove manage_ads from the request and the user removes and
re-installs, no extended_permissions are asked for.
If I make the
user a developer/admin of my App in the Developer/App settings on FB,
everything works as expected and the user is prompted for the correct permissions again. (and everything has been working for me, the admin of the app, this entire time)
I'm not sure what to do or how to proceed! Thank you in advance!
See screenshots here of the user's Facebook settings page and print_r of /me/permissions:
[1] http://i.stack.imgur.com/eS7Kw.png (Facebook UI in App Settings)
[2] http://i.stack.imgur.com/pZYYJ.png (Facebook API /me/permissions)

Related

Getting Facebook page access token only for app admin

I have a livestreaming (consumer) app with an associated Facebook page, and my goal is to broadcast streams from my app onto my Facebook page (live).
I have understood that part of the process to do this is getting a page access token from an admin of the page (like myself), who has granted my app the pages_read_engagement and pages_manage_posts permissions (which I have not done). However, in order to request those permissions, it seems like I would have to change the status of my app in Facebook (from being a consumer app), add those permissions, and undergo app review, even though I only want to request those permissions from a specific user. (This particular method is also not possible, since I already have 200,000+ users actively using my app.)
So my question is, how can I get a Facebook page access token for only a specific user of a specific page?

Is it possible to log users out of my web app but keep them logged in with Facebook using Javascript sdk?

API page is here: https://developers.facebook.com/docs/javascript/reference/v2.6
As far as I know,
If users have already authorized a web app(a website), then invoking FB.login() and FB.logout() in the web app is essentially logging user in or out of Facebook and return the web app with some data(of course you need access token to do this). Assume you have two pages opened, one is your web app, the other is facebook.com. Both logged out initially. Now if you log in with your Facebook account in the web app page, and then if you refresh the other page, you will find that both are logged in. It's similar for the case of logging out.
Well, correct me if my understanding is wrong. I totally understand there are reasons for the logic.
Is there a way to log out users from by web app but keep them logged in with the Facebook and without revoking permission?
I've tried with Google+ OAuth. It seems that using Google+ API is able to log out users from the web app and keep them logged in with Google+.
Well it is how it should be. You want your app to be an interface for the "Facebook app" login, why is that? Consider the scenarios from the user's point of view-
User is logged-in and browsing facebook. He found the useful application of yours and login to your app(providing required permissions). Before leaving your app, he logouts from the app. He then gets back to the Facebook and continue browsing there. All good!
User in NOT logged-in to the facebook. He logs into your app, browse your app then logs out of it. Then, when he open the facebook.com why will he expect that he should be looged-in to facebook automatically? I think he wont think that and he'll login to facebook and continue.
The point is simple here-
if user logs into facebook, he'll be logged-in until and unless he logs out from facebook.
if user is not logged into facebook but logs into your app, he will be logged-in to the facebook until he logs out from your app.

Facebook not asking for permissions

I'm developing a Facebook canvas app and I'm testing how the whole permissions thing work.
One thing is calling my attention and I think it's kind of weird: The first time, a user enters the app, Facebook sends the signed_request without the user_id and access token (as expected). Then my app redirects to the Login Dialog, so the user can authorize the app and give the asked permissions.
At this point something strange happens: Facebook is automatically redirecting the user to my app with the given permissions (and user_id and access token), but without prompting the user to give the permissions.
I have verified this behavior with test users and testers.
Is this normal? Is it possible to "force" (for testing purposes) the "ask for permissions" screen?
It is normal on a second or later use of the Facebook app.
Remove the app's permission from the Facebook account before starting the app to get back the ask for permission screen.

facebook php authentication returns user "denied" permissions when I click "allow"

I use php sdk for my app. I get the login url with $facebook->getLoginUrl() and some extended permissions.
when the user is redirected to that page, the permissions dialog is displayed. when he clicks allow, he gets redirected back to my website but with error_reason=user_denied passed in the url.
I tried removing the application from the user's facebook account, deleting all cookies / caches on the browser, still can't make it to work.
I saw there is another question on StackOverflow about this issue but got no answer...
Facebook authentication returns "denied" even if I click allow
Took me a little while to figure this one out. The issue is related to the fact that you are in sandbox mode, but disabling it is not the way to fix this.
When you add a Facebook user to your app (as a tester, developer, admin, etc) they are initially given a Pending status. While the user has that pending status, they can view your Facebook app but can not grant privileges to it.
To remove the pending status, you need the person who you've granted the role to to log into their account. In their notifications you will see that they have been granted the role for the Facebook app. The user then has to click on that notification and accept it. Once accepted, the user is no longer pending and can accept Facebook privilege requests from the App.
I fixed this problem by disabling the apps sandbox mode.

Preventing facebook user to automatically login my site

well i have used the facebook api couple of times. But last day i just came across a site which was really new to me. Heres the scenario
If a user is logged in at facebook and comes to my site, he will
automatically be logged in without asking him and also if user logs
out of my site he gets logged out of facebook. But the site i saw
yesterday, they had handled it perfectly, user dose not logs in their
site automatically and even if user logs out from their site, he does
not gets logged out of facebook.
So any help? what is this technique called? or any relevant help?
Best Regards
most site handled the login/authenication by using the login status of the user at facebook ends.
to do what u wants, simply add an additional layer of authentication / login status checking at your own site.
The site level login status is to be retained only for the current session. In other words, once the user went away from the site, the site level login status is gone. With this, when the user returns, you know that he needs to login again.
when the user logged out from your site, you only log him out of your site and do nothing about facebook login
Using the Facebook SDK it will likely tell you the user is logged out when not logged into Facebook, which in theory is the correct behaviour of the whole system, as Facebook want user's to always be connected to Facebook, I quote facebook:
As long as the user is signed into Facebook, they are automatically signed into your site as well.
So if they aren't connected to Facebook, you aren't connected to other sites. In a way it's a deterrant and increases Facebooks market.
But anyhow, it's likely the site you are describing are implementing their own authentican system rather than using Facebook's own SDK, or if they are using the SDK they are using it in moderation and understand about cookies/the above.
The flow to allow the user to be logged into Facebook but out of your site is as so:
When a user logs out of their site, it will unset session data for the site's own application, and also unset Facebook cookies, etc. That way the user is still logged into Facebook but out of your site.
When they try to log in again, Facebook will detect no cookies are available and hence will re-authenticate and pass you onto the url as passed during the authentication process. Your site will then login the user to the site's own application, setting any session variables, etc.
you need to check how you are handling the FB logins and sessions at your end..
my guess is you check the is login at your site and there are some access_tokens which are as per your app id in the cookies of your browser which are helping you to log in ..
and when logging out from your site you are explicitly logging out the user from FB as well
( thats what you are describing atleast )
you seem to be explicitly calling logout or clearing the cookies for fb app id ..