Please can someone clarify why we have to login twice for email and friends permission

Hi,

I’ve spent a fair amount of time trying to get my head around the facebook plugin and the facebook permissions, etc and I think Im pretty much there in terms of setting it up and getting permissions.

I have my app working in the following way (based on the sample facebook app) and it works as expected:

1. Logs in to facebook first time. facebook loads with permission “your public profile” only (i.e. no email  or friends)
2. I gather the user id, profile pic and name but at this point cant get email due to permission (thats ok for now)
3. later in my app I want to show who has the game installed so I call  facebook.request(“me/friends”, “GET”).  
4. I now get redirected to facebook again to accept the permission for “your friends list” 
5. I accept and i get a list of friends that have the app installed
6. so far so good and its a good user experience.

This is actually ok since I dont have to get the friends at the start - its only later when I need to show them.  Facebook seems to like this method as it shows the user why you are asking for that permission.

My problem comes when I decided it would be good to grab the email address at the start.  From what I have read on multiple posts, etc is that you need to do the following double login process:

1. Log in to facebook once, accept the “your public profile” only
2. log in / request again with “email” permission 
3. process the response which will now have user id, profile pic, name AND email

My problem here is that I’ll get taken to one facbook page, accept the “you public profile” permission and then it will switch to another facebook screen with the email permission - I believe this is how it works for everyone trying to do the same?  If I have done something wrong at this point, please let me know!

I also read in this post (http://forums.coronalabs.com/topic/42990-facebook-request-friends-and-email/?p=250421) that this how facebook requires it to be done BUT… i have been going over the documentation on facebook and i can’t see where it states that. 

infact it says that you should be able to request all “read only” permission at the first login:  

https://developers.facebook.com/docs/facebook-login/ios/v2.0#permissions

“You can ask for any number of read permissions or for publish permissions during login. However, as a general rule, the more permissions an app requests, the less likely it is that people accept the permission request and continue with the login process.”

i.e. public profile, email and friends

It does however state that a second request / login SHOULD be done when asking for publish permissions:

“you should only ask for publish permissions once a person is ready to post something from your app and  not  during the initial login process. The login control makes this easy by separating read permissions and publish permissions”

Is there any small chance that there might be a bug in the facebook plugin and that you actually should be able to get public, email and friends (i.e. read permissions) with the first login requst e.g. 

facebook.login( appId, callFacebook, {“email”, “user_friends”}  )
 

If not, could someone from corona (maybe Rob) point me to where it says you have to login twice / do a second request  for additional  read only permissions?

It doesn’t seem right to have to display the facebook permission page twice one after another just to get the email address (and friends).

Thanks

FYI, these are the pages I have read through that lead me to think there maybe a bug:

https://developers.facebook.com/docs/facebook-login/permissions/v2.0

https://developers.facebook.com/docs/facebook-login/ios/v2.0

I have also notcied in the facebook sample app that ALL of the requests do a “publish_actions” login before doing anything…   Why is this the case if initally all we want is read only info? e.g. in the sample app the getInfo_onRelease / GET_USER_INFO request.

From facebook docs:

“Apps should separate the request of read and publish permissions. Plan your app around requesting the bare minimum of read permissions at initial login and then any publish permissions when a person actually needs them , for example when they want to create an Open Graph story from within the app. This provides the best user experience and optimizes conversion.”

Do me a favor and try:

facebook.login( appId, callFacebook, {“email, user_friends”}  )

Also try just getting one or the other.  I thought I had read somewhere that email and user_friends was included in the basic privs anyway.

Rob

Hi Rob,

Thanks so much for getting back to me… I appreciate my post is a bit on the long side but I wanted to try and show that I’d done the investigation - so thanks for taking the time to read it all!

I have just tried that but it still only gives me the “public profile” (unless I do an initial login first but then im back to two facebook screens)

As a test, I also tried not passing anything in for the permissions and as I expected it still gave me “public profile” since this is the only default permission facebook applies.

i.e. facebook.login( appId, callFacebook, {}  )

These are a couple of paragraphs from the facebook docs that seem to back this up:

This is from the “overview section” of https://developers.facebook.com/docs/facebook-login/permissions/v2.0

Permissions are strings that are passed along with a login request or an API call. Here are two examples of permissions:

email - Access to a person’s primary email address.

user_likes - Access to the list of things a person likes.

For example, if you add the login button to a web app and ask for email and user_likes via thescope parameter, a person would be prompted with this dialog when logging in for the first time:

<image removed>

Your app has requested a person’s email address and the things they like but that request also automatically asks for access to a person’s public profile. The full list of permissions, including defaults, is included in this document."

Note the part that I have bolded…

In doing the login you requested:    

facebook.login( appId, callFacebook, {“email, user_friends”}  ) 

edited as should be a table:  facebook.login( appId, callFacebook, {“email”, “user_friends”}  ) 

should give me these permissions from the get go (i.e. without an initial call to facebook.login)

1. the automatic “public profile”

2. the requested “emal”

3. the requested “user_friends”

But it only give me the automatic one and seems to ignore whatever you pass in as additional permissions.  Do you know what happens behind the scenes in the facebook plugin when you first login? 

Reading a bit further here:  https://developers.facebook.com/docs/facebook-login/permissions/v2.0#reference

It explains which permissions CAN be requested at the initial login:

• Public Profile (default)  - public_profile
• Friends - user_friends
• Email - email
• Extended Profile Properties  e.g. user_likes, user_birthday, etc

AND those that CAN’T - i.e do in fact require a second login / request:

• Extended Permissions - Read
• Extended Permissions - Publish  - publish_actions

(I have just listed the section headings)

I think (hoping? ;)  ) there is some confusion in the plugin code around this that can be resolved…

Hope all that makes sense!

Cheers

I just wanted to make sure the syntax is right on the parameter list.  I once saw it as { “perm1, perm2” } but that doesn’t make sense because we are passing a table, so ti should be { “perm1”, “perm2” } like you initially had it.

Hi Rob,

yes, I have it as a table - that’s my fault for copying and pasting while doing my post haha

In my actual code I have used a table i.e.

facebook.login( appId, callFacebook, {“email”, “user_friends”}  ) 

I’ve just updated my reply so as not to confuse anyone!

Right, but what I wanted you to do was try it as { “email,  user_friends” }, as a single string inside the table and also try it just asking for one of the permissions { “email” } and just humor me and see if it gets you any thing.  It should be { “email”, “user_friends” } but because I saw it the other way once, I want to double check it.

Rob

Hi Rob,

I’ve just tried something that was quite interesting…

First thing I tried was a single login with junk data for permissions like so:

function fbLogin(event) -- login to facebook and then get user data fbCommand = GET\_USER\_INFO --facebook.login( appId, fbLogin2, {} ) facebook.login( appId, callFacebook, {"junk1", "morejunk"}) -- {"email", "user\_friends"} ) end

When i ran the above, it just gave me one facebook screen with public_profile permission which I expected…

I then tried the double login process i.e.

local function fbLogin2(event) -- second login?? --facebook.login( appId, callFacebook, {"email", "user\_friends"} ) facebook.login( appId, callFacebook, {"junk1", "morejunk"} ) end function fbLogin(event) -- login to facebook and then get user data fbCommand = GET\_USER\_INFO facebook.login( appId, fbLogin2, {} ) --facebook.login( appId, callFacebook, {"junk1", "morejunk"}) -- {"email", "user\_friends"} ) end

Now when I run the code - I get the same initial facebook page with the public_profile only but when it tried the second login - I get an error on facebook saying “invalid scope: junk1” 

I was (a little bit… sorry) hoping for it to error because it suggests that the logic behind facebook.login completely ignores whatever you pass for the permission table whereas second time round it uses it.

Do you think there is a case to delve in to the source code and check?

Ah, sorry Rob - I misunderstood… No worries… happy to try whatever…(I’ll try with a single login request)

Ok, so when I try as a single string I just get the default “public_profile”

Doing just “email” or “user_friends” on its own also just gives me the default “public_profile”

This doesn’t suprise me given my test I did with the “junk” permissions.

Just for fun though…  If I do the double login process and I use the single string it does work. I then tried again with a table and that worked too! I correctly get email and user friends permissions displayed on the facebook second login screen

Maybe behind the scenes in the plugin it loops through the table element and appends them to make one string?  that could explain why either would work?  

Which facebook SDK does corona use in the plugin?

We just updated to the latest plugin about a month ago.

But you can get this working, with two logins correct?

Rob

Yes, using two logins it works but surely we shouldn’t need to do two logins for the read only permissions.

What was the update? is that currently just in the daily builds or is that an update on your end? i.e. will I be using the updated code already?

Facebook is implemented as a plugin for iOS and in the Corona core for Android.  That means updates to Facebook for Android happen in daily builds.  Since iOS is done via a plugin, it becomes available to everyone when it hits the servers. 

I believe the SDK for both iOS and Android are 3.14.1.  We had to upgrade to keep up with some breaking changes Facebook was making.  They do so about every 3 months. 

hi Rob,

Thanks - I should of mentioned from the start that Im just (at the moment) using iOS

In which case, it seems you still have to do a double login for ios?  Can this be looked at so it only needs a single login / request?

Were any of the recent changes around the removing the double login process?

I can bring it up to Engineering, but they will want a bug report filed complete with config.lua and build.settings before they will look at this. 

Rob

Hi Rob,

That would be great… I have not posted a bug report before… how should I go about doing that?

Thanks 

Put together a small sample app that demonstrates the problem.  The app should include the build.settings you are using and a config.lua.  Zip up the folder with files in it and then click on the link at the top of the page:  Report a Bug.

Fill out the info, attach the zip file and submit it.  You should get an email that has a bug report ID # in it.  Please post that ID # back here afterwards so that we can follow up with it.

Rob

Hi Rob,

Thanks for the info… I’ve done all that and the number is Case 34216

Appreciate your time with this, thank you

Actually I’m dealing with a different facebook issue this morning, and while researching it, it seems that email and user_friends are not granted by default.  They require a second login to get.  What separates them from publish_actions and other write actions is that publish_actions and company require app approval before they will be granted, where as email and user_friends do not require approval.  They still require the second login however.

Rob

Hi Rob,

I’m getting confused between what is required by facebook and what the plugin is doing…

Do you mean that facebook itself requires you to do two logins? if so, can you point me to where in facebook documentation it says this as I can’t find where it states that?

Or do you mean, the corona plugin requires you to do two logins?  if this is the case, then I agree that doing it twice is currently  the way to get the plugin to “work” (for email and friends).  However, I don’t believe that this should be the case from what I have read from the facebook documentaion.

From the fb docs, I also agree that you do require approval for any publish type permissions.  Although you get public_profile by default, the docs say that you can ask for additional read-only (i.e. email) permissions at first login.

Lets take publish out of the equation for now as this seems to complicate things further - I’m just interested in getting the correct facebook login to appear first time i.e.

https://drive.google.com/file/d/0Bzgfv3d10ZJ_VHIwU3NfQXktTlE/edit?usp=sharing

Sorry to keep quoting the facbook documentation but I can’t help but feel something isn’t quite right with the way the plugin works (for read only permission)… However, Im more than happy to be proved wrong if you can tell me technically why the corona plugin needs to do two logins i.e. where does facebook state this?  It’s also quite likely that I’m just missing something that you guys have not but if you could just point me in the right direction, I’ll shut up and leave you alone haha

This is from the iOS SDK page (I assume this is what the corona plugin uses?)

_" Requesting permissions at login _

When someone connects with an app using Facebook login, the app can access their public profile and friend list, the pieces of information that are visible to everyone. To create this basic connection, apps must always request access to a person’s public profile information by asking for the public_profilepermission. Similarly, all other pieces of information that someone adds to their Facebook profile are secured behind other  read permissions. Apps also need  publish permissions  in order to post content on the user’s behalf. If you want to know more about permissions, you can check out ourpermissions reference.

_ You can ask for any number of read permissions or for publish permissions during login. However, as a general rule, the more permissions an app requests, the less likely it is that people accept the permission request and continue with the login process. Our research shows that apps that ask for more than four permissions experience a significant drop off in the number of completed logins. Requesting publishing permissions with publish_actions during login will prompt a second step in the login UI , as they have their own publish permissions request screen that’s shown after the login screen, which can cause fewer people to log in. As a result, we suggest that you request the bare minimum of read permissions during login and then request any additional or publish permissions when a person actually needs them."_

I grabbed this from this page: 

The way I read it is that for read only permission you only need one login - for publish you need two

https://developers.facebook.com/docs/facebook-login/ios/v2.0#permissions-login