Hello Facebook developpers community,
I'm currently working on a multiplayer online game with HTML/JS.
I just want to allow user to register with the game and I decided to allow them to login with their facebook account. I created a Facebook website application for that.
But when I set a fb:login button on my page, the dialog don't ask me for the permissions I set (FYI : i just configure them in the Authenticated Referrals section).
Maybe I need to configure the permissions in an other place but with the new Auth Dialog, I'm not sure where I need to go..
Authenticated referrals have no effect on usage of fb:login-button, they intended for links to your application on Facebook itself.
To request permissions from user you should use scope parameter of Login Button, here is simple example of requesting email and user_location permissions (both HTML5 and XFBML):
<div class="fb-login-button" data-scope="email,user_location"></div>
<fb:login-button scope="email,user_location"></fb:login-button>
Update:
As stated in comments those attributes may be easily manipulated by "advanced" users to avoid granting permissions. There is no way to specify which permissions will be user will be asked to grant from Application Settings. This isn't really a problem on it's own due to fact that Authenticated referrals suffer from very same problem, once user see authentication step he may change scope parameter to whatever he wants.
Actually you SHOULD NEVER trust to anything that came from user, so you'll better check the granted permissions after he logs-in by querying Graph API:
https://graph.facebook.com/me/permissions
This will return list of permissions user is granted to your app, if something missing react on that.
Related
I have implemented a server-side login flow for a facebook page management application to allow my users to grant the necessary permissions to this application. So far, this works nicely and allows my application to obtain a "page access token" after being granted the manage_pages permission.
However, during the login flow, the facebook UI on facebook.com requests both the manage_pages permission (which is what I asked for) and the permission to see the list of friends of the user (which I did not ask for).
To be specific, I redirect the user to https://www.facebook.com/dialog/oauth?client_id=...&redirect_uri=...&state=...&response_type=code&scope=manage_pages.
Is there a way to convince the facebook UI to not request permission from the user to see his list of friends ?
For reference, since I spent a good amount of time researching an answer to that question, I believe that it is impossible to explicitely not request permission from the user to see his list of friends. The Facebook documentation hints at this by stating that these are the "default" permissions that every application gets.
I am having some doubts about the proper facebook authorization/login flows and maybe some of you have more experience on the subject.
Basically I have a guest area on my website for non authenticated users and a button to connect through Facebook or the platform login/registration system.
As per the Facebook flow: once the guest clicks on the button, a popup dialog opens asking to login to fb (if needed) and to grant some permissions to the app. Once accepted, my website saves user data to the DB tables as if the user also registered to the website itself. This all works fine and once done, my users can navigate to the protected areas as expected.
Now... I don't totally get if it's mandatory to logout from Facebook AND to revoke permissions once the user chooses to logoff from my website or if it's allowed (and how) to simply log the user out of facebook (and so from the app) while the app still retains the user permissions.
I know this might sound like a silly question but last part of the flow is still foggy to me and i found the Facebook docs quite sparse. I hope I could explain it well enough!
Thanks.
I am working with integration of a website with facebook.
I have a specific requirement where-in the user should get logged-out from facebook if he/she doesn't grant permissions to my facebook-app (on first use).
Now, If user denies access for my facebook-app, I am redirected to the redirect_uri, but the problem is that on the page that handles the redirection, I cannot log the user out from facebook since my app won't have permission to perform logout.
Can anyone please tell me what is the workaround I could try?
I have a specific requirement where-in the user should get logged-out from facebook if he/she doesn't grant permissions to my facebook-app (on first use).
Is this in a very special environment (like a kiosk application or something) …?
Because otherwise, I’d hate it if random apps logged me out of FB while I’m browsing on my own computer, just because I don’t want to connect to them.
Now, If user denies access for my facebook-app, I am redirected to the redirect_uri, but the problem is that on the page that handles the redirection, I cannot log the user out from facebook since my app won't have permission to perform logout.
Can anyone please tell me what is the workaround I could try?
I don’t know any workaround – to perform a log out on behalf of the user, you need a valid access token – doesn’t matter, if you’re trying to do it client-side or server-side.
If that wasn’t the case, any website I’m visiting could log me out of Facebook, and that would be really annoying to users.
We have exactly the same problem. We've developed a kiosk application used to checkin and post HD photos.
If the user does not accept the permissions we need to reload the application because we can't logout the user in another way.
We've tried different ways but no one was successful
I'm trying to create an app for closeted and questioning youth on facebook, and an important feature would be the ability to be anonymous on the app. I've been trying to find out if people can be anonymous on facebook, but this sounds like it's not allowed. Could facebook users make a new user account within a facebook app to protect their identity?
Thanks,
Colby
No, they cannot create a new facebook account from facebook app. And facebook has nothing to do with making a user anonymous, if user has given your application required permissions then you can have all the information about user, its up to you either you want to make that user an "Anonymous user" or show his profile pic/information.
Some suggestions:
In App Settings > Auth Dialog there is the setting Default
Activity Privacy which you should set to Only Me.
When a user authorizes your app store as little information as is
necessary, and prominently display your privacy policy explaining
what type of information you store, why, and how you will never
share it with anyone.
(optional) Store userids in your database as md5 hashes so that even if someone gains access to that database, they won't know who
the users are.
I'm building a Facebook app with Facebook login via Oauth 2.0. Will it be possible to request more permissions (scope) from the user in the future as we add features or do we need to request them all up front?
Anyone implemented this with Facebook Connect?
From my experience, you can add permissions later and it'll prompt the user to accept those permissions. For my app, I started with just basic/email permissions and then added photo... and it would prompt for the photo.
You can call Facebook's permissions api (https://graph.facebook.com/me/permissions?access_token=...) to see if the user has authorized the permission you will need (perhaps they later when in and revoked part of your apps permission but not all of it). If they did, or you just later need different permissions, just show the authorization link like you did the first time with the additional permissions listed in the url (&scope=email,read_stream...) and it will prompt them for those.