I seriously do not understand how the permissions work.
Let me explain:
I have a Facebook app set in my developer account
I have defined a test app
In my Unity app using the Facebook SDK, Im calling this login function:
string permissions = "public_profile,user_bithday,user_location";
FB.Login (permissions, LoginCallback);
After the callback, I'm asking for the granted permissions and I'm getting:
request response: {"data":[{"permission":"public_profile","status":"granted"},{"permission":"email","status":"granted"},{"permission":"publish_actions","status":"granted"},{"permission":"user_birthday","status":"granted"},{"permission":"user_likes","status":"granted"},{"permission":"user_photos","status":"granted"},{"permission":"user_friends","status":"granted"}]}
I have to say that I'm still experimenting with the SDK making with the same Facebook app, different logins from different Unity projects (from the Editor of course). The permissions I am getting are the one I asked with a project I was developing 3 weeks ago. Because everything was working, I focused on something different. Today I made a new project by asking for the permissions defined in the login function in the point 3.
My question is: why am I getting permissions I didn't ask for?
Will I have the same problem when I'll deploy the app on different devices?
[EDIT]
More important than those, why I'm not getting the permissions "user_location" I'm asking for? It's not even saying that the requested permission has been denied.
[/EDIT]
The idea is to use the same Facebook app but with 2 different Unity projects: one project is a game that will be deployed on iOS and Android and another one is a standalone app for Mac and Windows that will allow the authorized person to modify the game (let's say a game editor). As you can guess, the projects will need different permissions. Is this something duable or because I'm using 2 different projects with the same Facebook app I'll have problems?
Cheers for the help guys :-)
Once a user has granted a certain Facebook app permissions, they stay there unless the developer or the user explicitly take them away; The FB.Login() call is there to ensure that you have, at a minimum, the permissions you've requested.
Incidentally, Facebook recommends asking for permissions only at the exact point you need to use them; Asking for more permissions is done with FB.Login("just_the_new_permission_you_need") and it won't take away what the user gave thus far.
tl;dr yes, using two projects with the same appid means permissions from one will be granted to another and vice-versa.
Related
I'm developing a webapp which allows users to log in with their Google accounts, using OAuth2.0.
I've created an OAuth2.0 client ID, configured the OAuth consent screen with the Publishing status set to 'Testing', and added a test user.
The frontend of my app is built with React, and I'm using a package (react-google-login) to handle the flow. I can successfully sign in with the Google account I added as a test user, and retrieve the basic profile information needed.
The problem is I can also sign in with other Google accounts, which have not been added to the list of test users. I imagine that Google should simply not issue access tokens for accounts which are not in the list of test users.
I feel like I've misunderstood something about the OAuth process, or I have configured something incorrectly. I would appreciate if anyone had any pointers?
Thanks.
It is indeed bugged.
I was in the same spot as you, assuming I had misunderstood something. After reviewing my code over and over with no luck, I made a Stack Overflow post, in which I was advised to post to Google's bug tracking system. After doing some troubleshooting with Google they confirmed the bug, and they are now working to fix it (for a little while already).
I included this thread as an example when talking to Google. I meant to post an update here after getting in touch with them, but I forgot, sorry!
The buganizer thread with more details:
https://issuetracker.google.com/issues/211370835
Is it possible you're only asking for the email scope?
It appears the test user filter and possibly the whole concept of the 'app' being in test mode exists only inside the consent screen feature.
For some reason, Google doesn't show the consent screen if you only ask for email.
So... maybe that means you don't need a consent screen, and therefore don't need to care what that feature thinks about your app (that your app is in test mode and needs to be verified before going into production).
Or maybe it's a bug? Or maybe just because you can do this doesn't mean it's allowed by Google's terms. Maybe they just haven't implemented preventing that use case.
Anyway, it may help you to know that if you add a more significant scope like the Calendar API then the following things will change:
Non-test users will get a message like "The developer hasn’t given you access to this app." and won't be able to complete oauth
Test users will get a message like "Google hasn't verified this app"
Test users will see a consent screen
Basically, everything starts working as expected.
By the way, just putting "email" or "profile" for scope seems to be an old way of doing things, and all the newer scopes want you to use a full URL for the scope (despite google themselves not using the full URL when you're configuring your scopes).
For example, if you want the email and calendar scopes, you can put this value for your scope field:
email https://www.googleapis.com/auth/calendar
Or you can use this equivalent value:
https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/calendar
Not suggesting you add a scope like email for the sake of it, just that it sheds light on what's happening, and if there's a scope like that that you need anyway, adding it will solve your problem.
I'm trying to create a system user token for one of my apps as described here in the Facebook API documentation: https://developers.facebook.com/docs/marketing-api/businessmanager/systemuser/#systemusertoken
I'm using the Graph API explorer to make the call, include the correct parameters (appsecret_proof, business_app etc.) but receive the following error:
(#200) Requires business_management permission to manage the object
It is true that the access_token I'm using when making the call does not have the business_management permission, but I don't understand why. The user that is making the call is Administrator for the app in question and has all rights I could possibly give. Also, for my other app, the permission shows up correctly when creating the user token and I cannot spot any difference in the configuration of the two apps.
I'm wondering if I need to put the app (which is a mobile game) through app review, but that seems kind of wrong because I don't want to request that permission from users or anything, I just want to use my administrator account to generate a system user token, which is a one-time action. The other app that correctly shows the permission also didn't go through app review, and both apps don't use Facebook for anything user facing, not even for logging in.
I feel like I'm completely on the wrong track and probably don't see the real problem here, but I'm also out of ideas. Is there something obvious I'm missing or anything else that could cause this permission not to show up?
I solved it now by putting the app back into development mode, which apparently allows all permissions to be granted. Creating a system user token worked fine and the system user is able to make API calls even after the app is set back to "live".
in my android app I use the facebook graph api. I need specific permissions for "user_likes".
for example the request could look like this: me/likes?fields={anyField}
such a request works in facebook graph api explorer but not in my own app because I have no permissions. I have to fill out a form to get this permissions:
Fill out the form below to submit your app for approval. You must
include usage information about your app for the review team. Your app
will be reviewed for compliance with our Platform Policy and Review
Guidelines.
my app is under construction, I would like to have something like a "sandbox mode" is such a thing available?
I hope you understand what i mean...i do not really know how to explain it precisely.
You don´t need to get anything reviewed for testing, user_likes will work for everyone with a role in the App (Admin, Developer, Tester), without the need to go through the review process.
If it does not work in your App, even as App Developer, you must have done something wrong in the login process: https://developers.facebook.com/docs/android/login-with-facebook/v2.2?locale=en_GB
i have read all the answers ( i could find on the matter), and they say, if you are a developer, tester or admin of the application, you should be able to test the app without any problem. I have tried as a admin of the app, developer, tester etc (all the roles given in the developer dashboard) no luck, next i have tried with the test users, still no luck, when i ask the user for the permission (publish_stream), the popup always says
Submit for Login Review Some of the permissions below have not been
approved for use by Facebook.
I have setup the "privacy policy link", i have uploaded the application icon, entered the application description, still no luck. in the mean time, the other two permissions i ask (user_photos and email) work with no problem.
I can't get what i am doing wrong. has anyone had problems like this?how did he manage to solve them? any help will be much appreciated.
P.S the only thing i haven't tried is to submit the freaking app for review, but the app is far from done, so i think, the review will be rejected
You really don´t need to go through the review process for testing, unapproved permissions work for every Admin, Developer or Tester of the App. publish_stream is deprecated though, what you probably want is publish_actions.
If it still does not work with an Admin/Dev/Tester and the publish_actions permission, i´d suspect a bug. In that case you could report it: https://developers.facebook.com/bugs/
What I am trying to do is get a list of permissions that an application will ask for when a user adds it. FQL says I need an app access token (which of course requires the application secret). I must be doing something wrong...I don't find it normal than only the developer of an application would be able to use the Graph to read the permissions the app requires. Has anyone seen something similar?
The permissions that you ask for depend on the script that is calling the login at that particular point, so it could be different in many places. One place in the app may only require basic permissions, while another place might require basic and email permissions. So you can't get a one-size-fits-all answer for an app because it isn't defined in one place, and it is not saved on the facebook server.
It might be that there is another solution to the reason why you want this information. What is it you are trying to achieve?