I've got a Facebook login implementation (for a website, using the javascript API) for which I want the "email" permission to be required. When the user first logs in, they may deny this permission - which is easy enough to detect by a subsequent look at the /me/permissions endpoint. If I do find they've denied it, I don't continue with the login. So far so good.
Then during subsequent logins, to make sure they get re-prompted for that permission, I include auth_type="rerequest" in my login buttons (which may be rendered via either xfbml or a link with onclick=FB.login(...)).
While this appears to be working, my question is: if I always want the permission to be required, is there any disadvantage to ALWAYS including auth_type="rerequest" in my login buttons? I don't see anything to the contrary in the documentation, and it appears not to have any adverse affect on new users or users who've not denied the permission (i.e. it only changes the login flow - by re-prompting if the user has already rejected something. Which is the behavior I want).
Good practice seems to dictate that I should only include this when I actually know there's something I want to re-prompt, but for the sake of this question, I'd like to know if there are any pitfalls to just always including it.
Facebook Login allows a person to grant only a subset of permissions that you ask for to your app, except for public profile, which is always required.
You may need to enable Login from Devices in your app. Load your app's dashboard and set Product > Facebook login > Settings > Login from Devices to 'Yes'.
There is no real downside afaik, but the recommend way is NOT to force users to use permissions they deselected. Instead, show them an input field if they did not authorize the email permission, where they can enter any email they want. Keep in mind that the email field isn't always filled, even if the user accepted the permission.
Are you using Facebook login button? It works for me to re-asking for a declined permission.
Just adding auth_type="rerequest" in the button.
<fb:login-button scope="email,user_birthday,public_profile" auth_type="rerequest" onlogin="checkLoginState();"></fb:login-button>
Hope that can help you.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With