Facebook API Permission To Skip / Revoke OAuth 2.0 RFC

Question

Facebook API Permission To Skip / Revoke OAuth 2.0 RFC

Suppose my application wants to request permissions A and B on behalf of a third party user.

In RFC for OAuth 2.0, a third party does not need to grant these permissions. However, if the returned permissions are not equivalent to the request of my application, the provided areas will be returned in response to a third party.

Reporting from the Facebook documentation and analyzing the responses from Facebook, when I simulate a skip / deny flow, it seems that the provided areas are not returned and that my application will need to make the next air call to find out what permissions were granted.

Is it correct?

+4

oauth-2.0 facebook-graph-api

Dirk Jun 21 '12 at 2:26

source share

1 answer

Igy · Answer 1 · 2012-06-21T12:37:14+0000

Short answer: yes, you do.

Longer answer: Make an API call at https://graph.facebook.com/me/permissions?access_token=OAUTH_ACCESS_TOKEN_HERE - in PHP or JS SDK you can simplify this as soon as /me/permissions , since the SDK will wrap the server and use token for you.

This shows all the areas that are currently provided to your application by this user, for example, the output:

 { "data": [ { "installed": 1, "manage_friendlists": 1, "status_update": 1, "photo_upload": 1, "video_upload": 1, "create_event": 1, "create_note": 1, "share_item": 1, "publish_stream": 1, "publish_actions": 1, "user_about_me": 1, "friends_activities": 1 } ] }

Since users can retroactively delete previously granted permissions, you still have to do this from time to time, because even if you had a callback with areas provided in a specific permission request, the user can cancel some / all of them almost immediately after that.

Facebook API Permission To Skip / Revoke OAuth 2.0 RFC

More articles: