Is there any way we can keep facebook permissions as low as possible because right now when a new user uses filepicker to upload images from his facebook account, it shows 2-3 permissions. I'm assuming that its set up as default. But can we reduce those permissions to just basic info and photos?
The three permissions that Filepicker.io asks for are: 'user_photos', 'offline_access', 'publish_stream'. The user_photos and publish_stream permissions are for fetching and saving files, respectively. The offline_access is necessary so that file links stay active even after the user has left the application. These scopes are each necessary for Filepicker.io to function, so are not configurable.
Related
I've managed to get a Access Token that doesn't expire, however I've noticed that Data Expiry does have about a 3-month expiry lifespan on it.
From reading Facebook's own documentation, it appears that the access is based on when the user is last active.
Facebook Login also enables you to ask for permissions when people log in to your app. These permissions, if granted by the user, give your app access to items of user data. For example, your app can access a user's name and profile photo.
If an app asks for permissions, it is often necessary to put the app through app review so that Facebook can make sure that data is not misused. Your app can ask for people's name and photo (the default profile fields) and for email without going through app review, but all other permissions require review. For lists of permissions and which ones require app review, see Permissions Reference.
Does this mean that as long as I log into my Facebook profile that's linked - my Data Access will be extended? `
It's not related to logging in to your FB profile, but logging in to your app.
It looks like the token gets extended if it's being consistently used.
I'm using an app access token to write to a facebook user's wall (using the facebook graph toolkit in asp.net). i've found that the process works fine if i have publish_stream permission but fails if i only have publish_actions. i would prefer to work only with publish_actions to avoid the second screen permission request.
this issue seems to go against the fb docs which state "Moving forward, we recommend that apps only ask for publish_actions, as this permission encompasses the other two and we want to simplify the model." (https://developers.facebook.com/docs/concepts/login/permissions-login-dialog/)
I'm wondering if anyone else has experienced and overcome this issue.
You need to check out this.
It says-
publish_actions will now include basic publish_stream permissions (including posting on a user's timeline, posting photos/videos, commenting on and liking content), which will appear on the first Auth Dialog screen. With this change, apps that were previously granted publish_stream do not need to request publish_actions.
as you said, BUT-
If you need specific capabilities like posting to a friend's timeline or to groups, you will still need to request publish_stream, which appears on a second screen where users can also opt out.
I have an app, and I can write to user's walls with it, having requested the publish_stream permission when they sign in.
I've also created a page and a group, and would like my app to be able to write to those. (Specifically, I want my back-end server to post some updates to those periodically, without a user being involved.) The ability to do this seems to be implied by the descriptions of the /feed parts of those here https://developers.facebook.com/docs/reference/api/page/ and here https://developers.facebook.com/docs/reference/api/group/ . However, I can't seem to find a way to authorize the app to write to these pages. Those docs say it can be done if you have publish_streams and manage_pages. OK, but how do I grant those to my app?
In the user case, you request those permissions when the user signs in via the OAuth flow. However, the page and the group never sign-in, so there's no way for them to grant the app permission. I looked around the settings pages for the group and the page, and couldn't find anything that will let me add the app. So how do I give the app the required permissions to post to the group and the page?
Found it!
http://developers.facebook.com/docs/reference/api/application/
http://developers.facebook.com/docs/howtos/login/login-as-page/
"Application Page Access Tokens
To perform the following operations as an Application Page, and not the current user, you must use the Application's Page access token, not the user access token commonly used for modifying Graph API objects nor the Application access token. This access token can be retrieved by issuing an HTTP GET to /USER_ID/accounts with the manage_pages permission. This will return a list of Pages (including Application profile pages) to which the user has administrative access, along with an access_token for each Page.
Note: Applications that are configured as Native/Desktop apps will not be able to make API calls that require an application access_token."
So:
I went to http://developers.facebook.com/tools/explorer/ and, as me, created an access token with "manage_pages" permission.
I then went to https://graph.facebook.com/$myname/accounts?access_token=$accesstoken
and it gave me a list pages and apps that I had given permission to. I copied the access_token from the relevant page, and pasted that into my code, so that the server-side create event code always used that access token.
And it worked!
I'm building a Facebbook application that uses the Facebook oauth login. I see some existing sites that have a single-page experience that combines application authorization with asking for permissions. But when I build my application, I'm seeing a two-page authorization dialog: application authorization and basic permissions come on the first screen, the second screen asks for additional permissions.
I'd like to get to a single-screen dialog, similar to the one shown on this page:
http://developers.facebook.com/docs/authentication/
but that's not what I'm seeing, even though I use the URL from that page, and even though I use the same Oauth redirect URL that I see in another app that shows the dialog as I want it.
Anyone have any ideas on how to have the older app authentication dialog?
Short answer: that's the way it works now. Facebook changed things. Go figure.
Facebook has changed the way the auth dialog works. It seems like they are trying to discourage use of publish_stream and other permissions and make it easier for users to grant the open graph publish_actions permission.
From the recent blog post:
Added functionality to the publish_actions permission
When we turn on the new auth dialog, we will also add some of the most frequently requested permissions to publish_actions to make the permission more robust and improve conversion. publish_actions now includes the ability to post status updates on the authenticated user’s own timeline, tag photos, publish photos and videos. Other actions such as posting to a friend's timeline still require the use of publish_stream.
Adding these common permissions to publish_actions eliminates the need for extended permissions and the second screen of the auth dialog for the majority of timeline apps built with the Open Graph. This makes the auth process clearer to new users and should improve conversion rates. Additionally, approved Open Graph actions are no longer required for the publish_actions permission. Apps should only ask for the stream_publish permission if they absolutely need functionality not present in publish_actions.
See this blog post for full details and references: https://developers.facebook.com/blog/post/2012/03/02/enhanced-auth-dialog-and-updates-to-permissions/
Subscribing to the Facebook devleoper blog and monitoring the platform roadmap at https://developers.facebook.com/roadmap/ are good ways to see these changes coming.
I'm building a Facebook app with Facebook login via Oauth 2.0. Will it be possible to request more permissions (scope) from the user in the future as we add features or do we need to request them all up front?
Anyone implemented this with Facebook Connect?
From my experience, you can add permissions later and it'll prompt the user to accept those permissions. For my app, I started with just basic/email permissions and then added photo... and it would prompt for the photo.
You can call Facebook's permissions api (https://graph.facebook.com/me/permissions?access_token=...) to see if the user has authorized the permission you will need (perhaps they later when in and revoked part of your apps permission but not all of it). If they did, or you just later need different permissions, just show the authorization link like you did the first time with the additional permissions listed in the url (&scope=email,read_stream...) and it will prompt them for those.