Suppose I have a website that wants to access a Facebook's user account information. Usually, the user is presented with all the permissions the website is asking for, and can either allow or deny them as a whole.
Is it possible to let the user choose (with checkboxes on each permission on the authorization screen, for example) which permissions he wants to give the website?
This would be possible but it would need to be done in two stages.
Firstly you would have to present the user with your own dialog where they can choose their prefered permissions.
Secondly you would have to authorise the user with the selected permissions via a Facebook dialog.
If you're looking for an example the Facebook Graph Explorer already does this:
http://developers.facebook.com/tools/explorer/
The bigger issue would be keeping track of the users available permissions and reacting according.
unfortunatly not out of the box. (but this could be changed sometime in the future, as FB displays a required next to the rights if you look on the rights you give to an app)
I used to ask the required prems, and let the user add optional perms via a click, which again opens the perm dialog but only with the perms the user not already give to the site.
for an example. user sign in form, beside the "Hometown" field i have a button "Fill from facebook" if user hasn'T given me that right to access user_hometown i call for the right and fill the form.
see this post for a good explanation on the why and how:
http://www.fb-developers.info/tech/fb_dev/jssdk/learning_jssdk_12.php
Related
First let me introduce the problem. I have site where I want to allow users to login using their Facebook account. Also I want to have possibility to post on users wall and access his email. I created Facebook app and every time not logged user comes to login page he clicks on Facebook button and gets to auth dialog of application where he must allow getting his email and on next screen allow posting on wall. To this dialog user gets with link which contains scope=email, publish_stream.
First question: When user clicks do not allow to post on wall, next time he uses this link he must again do that. Shouldn't Facebook remember this? I thought that I should not give the scope in link and use application setting where on permissions page a choose extended permissions. But these permissions are never asked for. Even when I enable referrals.
Second question: Is using FB application for this right? Should I not use fblogin?
Thank you.
When user clicks do not allow to post on wall, next time he uses this link he must again do that. Shouldnt facebook remember this?
No – because then there would be no way to ask a user for an extended permission once they’ve declined it.
Of course it might be annoying to the user to see that dialog asking for posting permission every time again when he just wants to login to your page.
That’s why Facebook themselves advise you to only ask for permissions you actually need for the current task. To provide the ability to log in to your site, you only need basic data and maybe email – so only ask for that, when the user is just logging in.
And then, when you come to the point where the user actively wants to share content through your app – then check if you got the necessary permission already, and ask them for it if it’s not present (by calling the auth dialog again, this time with the extended permission set in the scope parameter).
That way, it’s clear to the user why he gets asked for that permission at this point, and he doesn’t get hassled about it time and time again if he just only tries to log in.
I thought that I should not give the scope in link and use application setting where on permissions page a choose extended permissions. But these permissions are never asked for. Even when I enable refferals.
For these settings to have any effect, the connect to your app must happen in a way that actually triggers Authenticated Referrals. Doing the login by yourself in your app logic does not trigger this way of authentication.
I would like a new user of my canvas app to grant the "friends_online_presence" permission.
On the FB manual page, this permission is listed among the "User and friends Permissions" which should appear on the first page of the registration dialogue and should be non-revocable.
However, Facebook does the opposite - it redirects the user to the second page of the dialogue, where this permission is optional for the user.
If I try to make registration with other permissions from the list (i.e. friends_likes), it works as supposed - the permission is requested as non-revocable on the first screen.
Am I doing something wrong or this is actually a bug in their documentation?
Thanks!
Probably a bug in their documentation. You can however, check to see which permissions the user accepted. If you find they allowed your app, but not the friends permissions, you can give the user a specific screen telling them they can't use your app.
I'm new to all this. This is what i'm after and i'm sure it's possible.
I've got a script where people can register/login in to as members. What i'd like to do is tie it in so that it just uses Facebook users details for the registrations. I've managed to set it up to sign up and and complete a registration using a user's name and email.
What i'd like to do now is automatically log the user in if they're logged in on facebook, is this possible or will they need to click a login button that then takes them to their page? If they need to click a button to login, how do I go about getting the button to take their facebook details and log them in? Also what happens in regards to passwords on my site? Is that stored in the app somehow?
Ideally i'd like to use the popup version of verification rather than the iframe that i've got set up at the moment.
Cheers in advanced for any help for a n00b!
This is in fact possible. Although I for my part was never a fan of such things here's some human-readable (simplified) theory:
Facebook uses a system called OAuth ( http://de.wikipedia.org/wiki/OAuth ). That means, when you want to have the user login onto your site using Facebook you'll of course need to provide a button/facebook-login-frame (see documentation) that says "Log me in with Facebook" or so. You then access Facebooks API (more here: https://developers.facebook.com/ ) and basically tell Facebook who you are ("Hi I'm website XY"). While that happens your user is redirected to Facebooks "permission-landing-page". On that page he needs to confirm whether he is fine with your website accessing certain information (like his name). If he confirms your website receives an access-token granting you access to a subset of his user information which you can then use to personalize his expeirence on your website.
Check out facebooks documentation because they explain exactly your usecase in detail.
(here: https://developers.facebook.com/docs/authentication/ )
PS: You'll of course never have any access to his Facebook login/password. That's kind of the idea behind "delegating" the authentication via OAuth to Facebook. Facebook only provides you with an access token (bound to that particular user who logged in and granted your app/website permissions)
When users invite friends to my application the friend gets a notification in the Facebook.
When they click this link they see a dialogue box asking them to approve my application.
How can I limit the information my app requests to almost nothing so I don't scare away potential visitors.
I don't want their email or friends list or to access their data at any time. I just want them to visit the site.
Ok Thanks to Changing the scope I have the dialogue down to this. Is there any way to get even less. I don't have any code that requires permissions. My call back just extracts the request id's.
Just don't require authentication on your landing page. Make it so that your landing page and primary canvas page do not require authentication and potential users can browse and check information about your app and look if it is what they are looking for.
Then once they make any significant action on your app when their user information is essential to proceed you can open an authentication dialog box. You can detect whether users already authenticated or not with the help of javascript API FB.getLoginStatus method:
https://developers.facebook.com/docs/reference/javascript/FB.getLoginStatus/
hope this helps
You are requesting extended permissions in the url you are directing them to for the allow. Remove anything from the querystring parameter "scope", currently you should see that
&scope=offline_access,email
or similar. Simply change that to
&scope=
Check the page on extended permissions for more info:
http://developers.facebook.com/docs/reference/api/permissions/
Your invitation is linked to application that needs extended permissions, you have two choice first one is change the link that don't needs extended permissions. Second one is if you don't use the data getting from permissions, remove the permissions from oauth dialog.
The second screenshot above it the minimum amount of permissions you can request.
It is not possible to request anything less than basic permissions. You have to have this in order for the user to be connected with your app, and so you can get their user id.
I am working on a Facebook App that adds a tab to fan pages. Admins of those pages should be able to edit some settings for the tab.
So I created a settings script for that. If an admin wants to edit something, he or she is sent to http://mydomain/settings.php?fb_page_id=theirpageid
How can I verify that the person loading that page is actually authorized to change those settings? For example, if I knew the page ID for some other page that uses my tab (and the id of a page is right in the URL of the page) I could get in to their settings.
The only thing in the request array is the page id.
Thanks in advance,
Tim
UPDATE:
The only solution I've come up with is asking the user to sign in with facebook and then checking the rights, but this is something I'd like to avoid, as it's another step for the user.
The best practice for this would be to authorise user to your admin page with the manage_pages permission.
With this permission you can see what Apps / Fan Pages which that particular user is admin of by making a request to:
https://graph.facebook.com/me/accounts?access_token=VALID_ACCESS_TOKEN
So you can easily judge if the user has valid admin access rights to a page with your application tab installed.