I'm using facebook connect to allow the visitors login to a website using their facebook account.
The only information needed is that the user id and name.
However the facebook connect dialog states that my app will access all the users friends, photos...
How can I configure my facebook application to not request those data?
The quick answer, you can't. The dialog states that you have the ability to access the user's information. Whether you access it or not is up to you, but the ability to is always there. There is a base level of access granted to all apps. You can prompt for extended permissions, but you can't customize the base level.
This may change going forward with OpenGraph. There are still features Facebook is adding, and some existing, undocumented features.
Related
I'm using Facebook as a social identity provider, in order to authenticate users of my system. I don't want anything else from Facebook, other than the identity of the user (e.g. the user's Facebook id).
I'm making a passive request to https://www.facebook.com/dialog/oauth?client_id={app-id}&redirect_uri={redirect-uri}&scope=public_profile - more details here: https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow (see section: invoking the login dialog).
There are several scope options, listed here: https://developers.facebook.com/docs/facebook-login/permissions#reference-public_profile
My problem is that there doesn't seem to be a scope that limits the access to just the user's Facebook id. This means that when the user first federates, Facebook presents them with a worrying message about all the additional info my app will have access to (see screenshot below). This doesn't work for me, I just need the user's Facebook id - I don't want to ask the user for all this additional stuff. Is it possible to restrict the scope down to just the user's id?
If you ask an user to authenticate your app, the minimum that your app always asks for is the public_profile. You can't get any information fewer than that.
You can read more on the permission here: https://developers.facebook.com/docs/facebook-login/permissions
I wish to access the user's unread Facebook messages in my app. I'm using the Accounts framework. Calling accountStore.requestAccessToAccountsWithType:options: requires the permissions be given as part of the options.
I want to access /{user-id}/inbox stated in their Graph API. This states that the read_mailbox permission is required. Reading the permissions page, it states:
This permission is granted to apps building a Facebook-branded client
on platforms where Facebook is not already available. For example,
Android and iOS apps will not be approved for this permission. In
addition, Web, Desktop, in-car and TV apps will not be granted this
permission.
In other words: This is available to basically nobody.
After such a blow, I feel like I'm pulling at straws here, but I'm wondering if this applies to the Accounts framework login. Their API references the standard Facebook login (with a button and then a permissions screen) and doesn't mention login through the Accounts framework.
So I tried it, and got an iOS UIAlertView asking if I wanted to allow my app to access the given permissions, including the Inbox permission. I tapped "OK", and was granted access. But then calling accountsWithAccountType: returns 0 accounts (I have a Facebook account logged in on device).
I'm wondering if anyone's done any further investigation, or knows any more about this?
You should first try testing your app in the explorer https://developers.facebook.com/tools/explorer/ and see what comes up.
Additionally, since you have read the permission page, you will understand that it wouldn't make sense developing the app with this feature unless you are the only using it.
I'm trying to create an app for closeted and questioning youth on facebook, and an important feature would be the ability to be anonymous on the app. I've been trying to find out if people can be anonymous on facebook, but this sounds like it's not allowed. Could facebook users make a new user account within a facebook app to protect their identity?
Thanks,
Colby
No, they cannot create a new facebook account from facebook app. And facebook has nothing to do with making a user anonymous, if user has given your application required permissions then you can have all the information about user, its up to you either you want to make that user an "Anonymous user" or show his profile pic/information.
Some suggestions:
In App Settings > Auth Dialog there is the setting Default
Activity Privacy which you should set to Only Me.
When a user authorizes your app store as little information as is
necessary, and prominently display your privacy policy explaining
what type of information you store, why, and how you will never
share it with anyone.
(optional) Store userids in your database as md5 hashes so that even if someone gains access to that database, they won't know who
the users are.
On a rich media banner, which obviously would appear on several different sites, is it possible to access a user's facebook information such as their photos?
The user would need to grant permission to the banner -- not sure if that's possible though.
There is some Facebook information that is publicly accessible to "anonymous" applications (i.e. unauthenticated/unauthorized). These include but are not limited to name and profile picture. It really depends on how public a user's profile is. However, I'm not sure you can get whatever the currently viewing user's info is. That's typically gotten by making an API request to /me which requires being authenticated.
However, if you're authenticated by the user, you can use whatever information they've granted you access to (specified by you during the OAuth process).
How do I make an app that doesn't ask for permission when you load it?
Or is that impossible? The only thing the application does is post to the user's wall, but can't I authenticate for that after they load the application?
You can, not sure why others are so positive that it is not possible.
On your server side you can check through facebook api if current user granted you required permission. If not, pass some flag to your fbml where you can display permission prompt link:
Would you like to <fb:prompt-permission perms="publish_stream">allow us</fb:prompt-permission> to post on your wall?
You are not obligated to require users to authorize your app either (but you need authorization before checking for granted permissions or retreiving any user information), you can still allow users to use your app. In fact allowing users to use an app without authorization is even encouraged by facebook recommendations. For optional authorization you can put such fbml on your page:
<fb:if-is-app-user>
<fb:else><a href="http://www.facebook.com/login.php?api_key=...&v=1.0>Would you like to authorize this app?</fb:else>
</fb:if-is-app-user>
If you want to post to their wall via a prompt instead of requiring prior authorization, you should use the connect library. Then you can use some javascript to open the dialog.
In fact, another SO question gives you exactly what you need.
Or is that impossible. The only thing
the application is going to do is post
to the users wall, but can't I
authenticate them for that after they
load the application?
To publish content to users' walls, you need to have the steam_publish permission from them first.