With Twitter OAuth, the user gets the following:
I only need to post tweets, is it possible to only ask for only that?
Facebook supports a "scope" parameter when requesting authentication, but I don't see anything like that for Twitter:
Twitter Authorization
I don't think that is possible at the moment. The only permissions available at the app settings page are "Read only", "Read and Write" (which you're using) and "Read, Write and Access direct messages".
Related
The Facebook Platform Policies section 1.6 clearly states
Your website must offer an explicit "Log Out" option that also logs the user out of Facebook.
The Login Flow for Web without Javascript SDK says on Logging people out
You can log people out of your app by undoing whatever login status indicator you added, for example deleting the session that indicates a person is logged in. You should also remove the stored access token.
On the other hand the Login Flow for Web says about Logging people out
Note: This function call will also log the person out of Facebook. The reason for this is that someone may have logged into your app and into Facebook during the login flow. If this is the case, they might not expect to still be logged into Facebook when they log out of your app. To avoid confusing people and to protect personal security, we enforce this logout behavior.
So in my understanding the Login Flow with JS SDK does what the policy says, it logs the user out of Facebook as well. How do I implement the Login Flow without JS JSDK correctly, such that i do not violate the Facebook Platform Policy? So far i don't see that the Graph API offers a similar functionality.
That should be easy, looking at the PHP SDK’s method getLogoutUrl, that creates an URL of the following scheme:
https://www.facebook.com/logout.php?next=FOO&access_token=USER_ACCESS_TOKEN
For FOO you just place the URL of your website where you want the user to be redirected to after they are successfully logged out of Facebook (don’t forget to properly URL-encode that value), and USER_ACCESS_TOKEN should be self-explanatory. (You need an active user access token to log the user out of Facebook – obviously, because otherwise every site on the web could just redirect me to this address and log me out of Facebook, without me actually wanting that to happen.)
I'm building a Facebbook application that uses the Facebook oauth login. I see some existing sites that have a single-page experience that combines application authorization with asking for permissions. But when I build my application, I'm seeing a two-page authorization dialog: application authorization and basic permissions come on the first screen, the second screen asks for additional permissions.
I'd like to get to a single-screen dialog, similar to the one shown on this page:
http://developers.facebook.com/docs/authentication/
but that's not what I'm seeing, even though I use the URL from that page, and even though I use the same Oauth redirect URL that I see in another app that shows the dialog as I want it.
Anyone have any ideas on how to have the older app authentication dialog?
Short answer: that's the way it works now. Facebook changed things. Go figure.
Facebook has changed the way the auth dialog works. It seems like they are trying to discourage use of publish_stream and other permissions and make it easier for users to grant the open graph publish_actions permission.
From the recent blog post:
Added functionality to the publish_actions permission
When we turn on the new auth dialog, we will also add some of the most frequently requested permissions to publish_actions to make the permission more robust and improve conversion. publish_actions now includes the ability to post status updates on the authenticated user’s own timeline, tag photos, publish photos and videos. Other actions such as posting to a friend's timeline still require the use of publish_stream.
Adding these common permissions to publish_actions eliminates the need for extended permissions and the second screen of the auth dialog for the majority of timeline apps built with the Open Graph. This makes the auth process clearer to new users and should improve conversion rates. Additionally, approved Open Graph actions are no longer required for the publish_actions permission. Apps should only ask for the stream_publish permission if they absolutely need functionality not present in publish_actions.
See this blog post for full details and references: https://developers.facebook.com/blog/post/2012/03/02/enhanced-auth-dialog-and-updates-to-permissions/
Subscribing to the Facebook devleoper blog and monitoring the platform roadmap at https://developers.facebook.com/roadmap/ are good ways to see these changes coming.
I'm new to all this. This is what i'm after and i'm sure it's possible.
I've got a script where people can register/login in to as members. What i'd like to do is tie it in so that it just uses Facebook users details for the registrations. I've managed to set it up to sign up and and complete a registration using a user's name and email.
What i'd like to do now is automatically log the user in if they're logged in on facebook, is this possible or will they need to click a login button that then takes them to their page? If they need to click a button to login, how do I go about getting the button to take their facebook details and log them in? Also what happens in regards to passwords on my site? Is that stored in the app somehow?
Ideally i'd like to use the popup version of verification rather than the iframe that i've got set up at the moment.
Cheers in advanced for any help for a n00b!
This is in fact possible. Although I for my part was never a fan of such things here's some human-readable (simplified) theory:
Facebook uses a system called OAuth ( http://de.wikipedia.org/wiki/OAuth ). That means, when you want to have the user login onto your site using Facebook you'll of course need to provide a button/facebook-login-frame (see documentation) that says "Log me in with Facebook" or so. You then access Facebooks API (more here: https://developers.facebook.com/ ) and basically tell Facebook who you are ("Hi I'm website XY"). While that happens your user is redirected to Facebooks "permission-landing-page". On that page he needs to confirm whether he is fine with your website accessing certain information (like his name). If he confirms your website receives an access-token granting you access to a subset of his user information which you can then use to personalize his expeirence on your website.
Check out facebooks documentation because they explain exactly your usecase in detail.
(here: https://developers.facebook.com/docs/authentication/ )
PS: You'll of course never have any access to his Facebook login/password. That's kind of the idea behind "delegating" the authentication via OAuth to Facebook. Facebook only provides you with an access token (bound to that particular user who logged in and granted your app/website permissions)
I'm using facebook connect to allow the visitors login to a website using their facebook account.
The only information needed is that the user id and name.
However the facebook connect dialog states that my app will access all the users friends, photos...
How can I configure my facebook application to not request those data?
The quick answer, you can't. The dialog states that you have the ability to access the user's information. Whether you access it or not is up to you, but the ability to is always there. There is a base level of access granted to all apps. You can prompt for extended permissions, but you can't customize the base level.
This may change going forward with OpenGraph. There are still features Facebook is adding, and some existing, undocumented features.
How do I make an app that doesn't ask for permission when you load it?
Or is that impossible? The only thing the application does is post to the user's wall, but can't I authenticate for that after they load the application?
You can, not sure why others are so positive that it is not possible.
On your server side you can check through facebook api if current user granted you required permission. If not, pass some flag to your fbml where you can display permission prompt link:
Would you like to <fb:prompt-permission perms="publish_stream">allow us</fb:prompt-permission> to post on your wall?
You are not obligated to require users to authorize your app either (but you need authorization before checking for granted permissions or retreiving any user information), you can still allow users to use your app. In fact allowing users to use an app without authorization is even encouraged by facebook recommendations. For optional authorization you can put such fbml on your page:
<fb:if-is-app-user>
<fb:else><a href="http://www.facebook.com/login.php?api_key=...&v=1.0>Would you like to authorize this app?</fb:else>
</fb:if-is-app-user>
If you want to post to their wall via a prompt instead of requiring prior authorization, you should use the connect library. Then you can use some javascript to open the dialog.
In fact, another SO question gives you exactly what you need.
Or is that impossible. The only thing
the application is going to do is post
to the users wall, but can't I
authenticate them for that after they
load the application?
To publish content to users' walls, you need to have the steam_publish permission from them first.