Is there a way to mark a scope such as publish_stream as required in Facebook OAuth2?
Currently a user can skip the permission and that results in a non working app in my example.
No you cant do that, in fact facebook asks to check for the extended permissions before performing any related action.
You can any time check for the permissions a user has granted with the API- /me/permissions. Check out- Graph API Explorer
There's no way to "require" extended permissions such as publish_stream as far as I know. Facebook has some docs about how to handle those cases where the user only gave some permissions:
https://developers.facebook.com/docs/facebook-login/permissions/#handling
Quote:
If a person declines the login dialog have a clear and upfront
explanation about why you are requesting each permission. Then let
them click or tap to opt back in to the permission request dialog. Do
not immediately redirect them into a permission request dialog without
an explanation.
For cases where someone has granted some permissions but not others,
only prompt for missing permissions at the point at which they are
needed. For example, if your app contains functionality which creates
an event on behalf of a person, only prompt for create_event
permission whenever they choose to add the event to Facebook.
Unless the permissions you are requesting in the login dialog are
critical to the functionality of your app and a feature doesn't work
without them, let people continue using your app without the
permissions.
Related
Facebook sent an attention alert about the permission the App is requesting:
Permissions
Your app asks for read and write permissions at the same time. You should only ask for write permissions when a user tries to share something to Facebook. Please update your app accordingly. Read our best practices for more details.
In fact during authentication App is requesting those permissions:
read_friendlists, publish_stream, offline_access, email
But App is not using FB login so according to second point of this section "Publishing permissions", we can ask for both read and write permission:
https://developers.facebook.com/docs/facebook-login/permissions/#publishing
In this situation, can the Alert be ignored?
The "problem" with your request is the read_friendlists permission, the guidelines in case of non-facebook login says:
In this case, make sure that the only read permissions you request are
public profile and friend list.
Also the offline_access han been deprecated and not useful anymore
So you should ask for read_friendlists in a separate request, the alert does not affect the functionality of the app but maybe it will affects other things like quota or apps store.
Hope this helps
I have implemented a server-side login flow for a facebook page management application to allow my users to grant the necessary permissions to this application. So far, this works nicely and allows my application to obtain a "page access token" after being granted the manage_pages permission.
However, during the login flow, the facebook UI on facebook.com requests both the manage_pages permission (which is what I asked for) and the permission to see the list of friends of the user (which I did not ask for).
To be specific, I redirect the user to https://www.facebook.com/dialog/oauth?client_id=...&redirect_uri=...&state=...&response_type=code&scope=manage_pages.
Is there a way to convince the facebook UI to not request permission from the user to see his list of friends ?
For reference, since I spent a good amount of time researching an answer to that question, I believe that it is impossible to explicitely not request permission from the user to see his list of friends. The Facebook documentation hints at this by stating that these are the "default" permissions that every application gets.
My goal is to have my app be able to read my users stream using the extended permission "read_stream" , however when requesting that permission the dialog doesn't show me having requesting that permission.
I have no trouble requesting the email, or publish_actions permissions, but read_stream is a no go as well as other various extended permissions. Here is an example of what I am using for the facebook login:
https://www.facebook.com/dialog/oauth?scope=publish_actions%2Cread_stream&redirect_uri=http%3A%2F%2Fwww.MYDOMAIN.com%2Fsocialregistration%2Ffacebook%2Fconnect%2F&display=popup&client_id=MYAPPID
Is there another permission I need to request when requesting read_stream ? Is there something I need to change in my facebook app settings specifically for the scope permission request? My goal is to be able to get permission for "read_stream".
Thank you for any input!
The method I describe does work! The issue was that there is a second facebook prompt for the extended permissions that occurs AFTER the initial prompt for permissions.
What is confusing is that facebook shows permissions for email and publish_actions on the first facebook dialog box instead of in a consistant manner for all the extended permissions....but that's facebook's choice!
So hopefully this helps anybody else that was confused like me!
I would like a new user of my canvas app to grant the "friends_online_presence" permission.
On the FB manual page, this permission is listed among the "User and friends Permissions" which should appear on the first page of the registration dialogue and should be non-revocable.
However, Facebook does the opposite - it redirects the user to the second page of the dialogue, where this permission is optional for the user.
If I try to make registration with other permissions from the list (i.e. friends_likes), it works as supposed - the permission is requested as non-revocable on the first screen.
Am I doing something wrong or this is actually a bug in their documentation?
Thanks!
Probably a bug in their documentation. You can however, check to see which permissions the user accepted. If you find they allowed your app, but not the friends permissions, you can give the user a specific screen telling them they can't use your app.
I'm building a Facebook app with Facebook login via Oauth 2.0. Will it be possible to request more permissions (scope) from the user in the future as we add features or do we need to request them all up front?
Anyone implemented this with Facebook Connect?
From my experience, you can add permissions later and it'll prompt the user to accept those permissions. For my app, I started with just basic/email permissions and then added photo... and it would prompt for the photo.
You can call Facebook's permissions api (https://graph.facebook.com/me/permissions?access_token=...) to see if the user has authorized the permission you will need (perhaps they later when in and revoked part of your apps permission but not all of it). If they did, or you just later need different permissions, just show the authorization link like you did the first time with the additional permissions listed in the url (&scope=email,read_stream...) and it will prompt them for those.