In my app, I have my user connect with FB and grant my app permissions.
When they click the Connect button , the FB popup is displayed and they get the
"Login with facebook" and then they need to grand permissions to publish_stream, manage_pages, email.
the problem i am having with my code, is if they remove one of the permissions (like manage_pages ) checkLoginStatus still lets the user continue.
So how to i verify that the user has granted the requested permissions?
<div id="fb-root"></div>
<script src="//connect.facebook.net/en_US/all.js"></script>
<script type="text/javascript">
FB.init({
appId: '<?=FB_APP_ID?>',
status: true,
cookie: true
});
FB.getLoginStatus(checkLoginStatus);
function authUser() {
FB.login(checkLoginStatus, {scope:'publish_stream, manage_pages, email'});
}
function checkLoginStatus(response) {
if(response && response.status == 'connected') {
$('#connbut').hide();
FB.api('/me', function(user) {
if (user) {
$('#fbuser-name').text(user.name);
$('#fbuserpict').attr('src', 'https://graph.facebook.com/' + user.id + '/picture');
$('#fbname').val(user.name);
$('#fbpict').val('https://graph.facebook.com/' + user.id + '/picture');
}
});
} else {
// Display the login button
$('#connbut').show();
}
}
</script>
the problem i am having with my code, is if they remove one of the permissions (like manage_pages ) checkLoginStatus still lets the user continue.
Of course it does, because FB.getLoginStatus says nothing about permissions – it only tells you whether the user is connected to your app or not.
So how to i verify that the user has granted the requested permissions?
You can ask about the permissions the user has currently given your app by requesting /me/permissions (or even just ask for specific permissions using field expansion).
But doing so client-side via JS seems to be cached somehow – asking for permissions, seeing there’s one missing, calling FB.login and asking again will, from my experience, most likely still show the same permissions as before, even if the user has given additional permissions in between. The only way to get reliable information in real time seems to be to do it server-side.
Related
We are developing a website at www.bodecanada.com. One of the login methods we provide is facebook. We also try to keep track of whether the user is logged into facebook or not when refreshing the page or opening the site in a new tab. We do this by calling FB.getLoginStatus() (from the Facebook js sdk). However, we are finding that in a few cases--for example, when opening the site in a new tab in Safari--the response status that comes back from FB.getLoginStatus is 'unknown'. The Facebook SDK documentation says this about the 'unknown' status:
FB.getLoginStatus() allows you to determine if a user is logged in to
Facebook and has authenticated your app. There are three possible
states for a user:
The user is logged into Facebook and has authorized your application. (connected)
The user is logged into Facebook but has not authorized your application.(not_authorized)
The user is either not logged into Facebook or explicitly logged out of your application so it doesn't attempt to connect to Facebook
and thus, we don't know if they've authenticated your application or
not. (unknown)
We are dealing with #3 in this case. However, when I visit facebook, I find I am not logged out. But at the same time, I am not "explicitly logged out" (meaning FB.logout() is called) from my site. So why is it returning 'unknown'?
One solution I found on google says to add cookies: true to FB.init() in order to enable 3rd party cookies, so I did so:
FB.init({
appId : process.env.FB_APP_ID,
cookie : true,
xfbml : true,
version : 'v2.2'
});
But this doesn't change anything.
So why does FB.getLoginStatus() return 'unknown' for the response status when I open the site in a new tab?
Thanks.
I had the same issue when I closed and reopened the browser again. What I did is put the fb.login function if the status is unknown. But, emergent windows must be enabled in the browser:
function statusChangeCallback(response) {
if (response.status === 'connected') {
userId = response.authResponse.userID;
accessToken = response.authResponse.accessToken;
var userinfo = getUserInfo(userId);
} else if (response.status === 'unknown') {
FB.login(function(response) {
statusChangeCallback(response)
}, {scope: 'public_profile,email'});
}
}
I'm getting the same issue, also using "cookie: true". But.. if I put the call to FB.login into the "status === 'unknown'" block, I get a blocked FB oauth popup - that is an empty window. I know I'm logged into Facebook (it's in the next tab over), I just don't understand why FB.loginStatus always returns "unknown".
I'm developing a pure-html/js web application (actually I'm using AngularJS; with "pure" I mean: I'm not using any server side technology) which uses a Facebook-Connect button like this:
<fb:login-button max_rows="1" size="xlarge" scope="email,public_profile,ads_management" show_faces="false" auto_logout_link="false"></fb:login-button>
Such button asks for permission: ads_management and basic user data. I'm testing ad-management functionality.
However, I ask two queries to facebook inside a controller:
$scope.fetchData = function() {
FB.api('/me', function(response){
$scope.$apply(function(){
console.log("InApp::fetchData()");
console.log(response);
console.log("~InApp::fetchData()")
});
});
};
$scope.fetchAccounts = function() {
FB.api('/me/adaccounts', function(response){
$scope.$apply(function(){
console.log("InApp::fetchAccounts()");
console.log(response);
console.log("~InApp::fetchAccounts()");
});
});
};
$scope.fetchAccountData = function(account_id) {
};
$scope.fetchData();
$scope.fetchAccounts();
For narrow-purposes I just printed the contents of a controller. Assume such controller exists, requires the person is logged in Facebook, and the user is currently logged in.
My Issues are:
The Login button does not update the page when I login. This is because no onlogin= was put. Question: How can I assign such attribute in an Angular way? (i.e. the handler coming from the scope).
$scope.fetchData is successfully executed. However, $scope.fetchAccounts is not. I'm asking this because I included the ads_management permission in the button. Question: What am I missing? (error: code: 10
message: "(#10) You do not have sufficient permissions to perform this action"
type: "OAuthException"). Edit - Additional notes: I deauthorized the application in my account, and reauthorized it: It never asks me the ads_management permission in the popup dialog.
The first question, no idea. The second question, your app is not whitelisted for Ads API usage. Look into the Ads APi documentation on how to request access.
Perhaps I am going about this the wrong way but I have a website that allows facebook login.
If the user has already registered on my website
and is logged into facebook but not logged into my site
when visiting the login page i check for their facebook login status and get response.status === 'connected' via-
FB.Event.subscribe('auth.authResponseChange', function (response)
{
if (response.status === 'connected')
{
var s = JSON.stringify(response.authResponse);
LogMeIn(s, function(response)
{
HandleAjaxError(response, function(msg)
{
window.location = '/_/';
});
});
}
}
I then want to pass their authResponse object to the server and confirm that this userid works with this token before I log them in as this user
I have read to simply grab the json contents of -
https://graph.facebook.com/{userID}?access_token={accessToken}
and if it does not return an error then it is good! But when testing this method I noticed that the same access_token worked for two different user ids (meaning it did not return an error for the userid that was not logged in on my computer). Instead it returned the facebook user object with name , location etc.
This really surprised me, as I expected the access_token to work only with a single user id.
In an effort to prevent someone from simply changing the user id before continuing the script I need to authenticate via server side. What is a way to accomplish this?
Proof, go to these links to see profile information
My profile-
https://graph.facebook.com/1233822590?access_token=CAACCBJJZBgjABAOGmvmsou8gMYGulLHTgAr5ZCHZAU7pKEp0cMAeX8r4qHLpiVuZCOT1v0ulMZAxX5YfLJkcZBr9l6qJQoPxWS5Fs5ndohDnH6ZAPPfZCZCTQtwWgAZAg6I1PAOIpdtCc0OUaMmBZAvGiMm9gQhmNXRbocZD
Another userid with same access_token-
https://graph.facebook.com/100000116781159?access_token=CAACCBJJZBgjABAOGmvmsou8gMYGulLHTgAr5ZCHZAU7pKEp0cMAeX8r4qHLpiVuZCOT1v0ulMZAxX5YfLJkcZBr9l6qJQoPxWS5Fs5ndohDnH6ZAPPfZCZCTQtwWgAZAg6I1PAOIpdtCc0OUaMmBZAvGiMm9gQhmNXRbocZD
Nothing to be surprised. You can fetch the basic details of any user of the facebook using the access token of any user of the facebook.. So this isnt really good way to validate the token. Moreover, that confirmation of token part isnt required.
If you want the authorization through server side go through.this link
I've an application that only asks for "user_about_me". Now I want to ask for new permission (publish_stream) but the response object returns "connected" if the user ignores the new permission. Because I want to post to the user's wall I'll get an error when posting to the user's wall "The user hasn't authorized the application to perform this action".
How can I do this?
I'm using Javascript SDK.
Basically you have to handle all the possibilities for user permissions/authorization when a user logs in. Here is a simplified working example from some FB integration I have done:
FB.Event.subscribe('auth.login', function(response) {
if(response.status === 'connected'){
FB.api('/me/permissions', function(resp) {
if(resp.data[0].publish_stream){
//User has permissions and authorization
}
else{
//User has not enabled publish stream, ask them to enable permission
}
}
}
If they have the permissions, I show them their avatar/username and some other options. If not, I present a link that asks them for the required permissions when clicked.
UPDATED TO BE MORE CLEAR (hopefully :)):
Related to this page, specifically the SSO section: http://developers.facebook.com/docs/authentication/
You've got the option Facebook says to use either that facebook connect button (whatever connect means nowdays with Facebook is a grey fog to me now) or just roll your own image as a button and on click call FB.Login().
So I tried the facebook button route which lead me to a complete brick wall. I mean I can get it working, auth, login, all that but I have no clue how to pass extended permissions through this entire process with the button:
window.fbAsyncInit = function () {
FB.init({ appId: facebookApplicationID, status: true, cookie: true, xfbml: true });
FB.Event.subscribe('auth.sessionChange', function (response) {
...rest of code
Ok, how do I attach extended permissions to this call? Of course you can do it easily if using Login() but why doesn't facebook show any examples or state whether the perms parameter exists in terms of placing it somewhere in this process of using that button!
related links: http://forum.developers.facebook.com/viewtopic.php?pid=248096#p248096
I don't even know why they have that button in here when it looks to me like most everyone is just simply calling Login() inside the Init. I assume then calling Login() still manages the SSO in terms of cookie, etc.?
Is anyone using this button or are you just going with FB.Login() ?
I'm running this in an iframe on our own hosted website...not embedding code into the facebook site itself (which I believe is called canvas right?).
RTFM. Yes, I mean friendly.
Right below the Single Sign-on section is the Account Registration Data section and I've copy-pasted this from there.
<fb:login-button perms="email,user_birthday"></fb:login-button>
Not exactly sure what you are trying to accomplish here. If you want to get information about your user or take actions on their behalf on Facebook, you need the user to tell Facebook it's okay to do so (this only needs to happen once) which is why you need to you call FB.login as described here: http://developers.facebook.com/docs/reference/javascript/FB.login.
FB.login(function(response) {
if (response.session) {
if (response.perms) {
// user is logged in and granted some permissions.
// perms is a comma separated list of granted permissions
} else {
// user is logged in, but did not grant any permissions
}
} else {
// user is not logged in
}
}, {perms:'read_stream,publish_stream,offline_access'});
They need to enter in their password to prove it's really them to authorize your app. If you need extended permissions, the second parameter in FB.login allows you to do this.
If the user is already logged in to Facebook (for example in another tab) then there's no need to log in and the login screen should be skipped. If the user is both logged in an has already authorized your app then there's no need to call FB.login.
You check check the user's login status (and permissions) with FB.getLoginStatus: http://developers.facebook.com/docs/reference/javascript/FB.getLoginStatus before deciding whether or not to call FB.login.