How to specify Extended Permissions in the JS SDK Auth request

Question

UPDATED TO BE MORE CLEAR (hopefully :)):

Related to this page, specifically the SSO section: http://developers.facebook.com/docs/authentication/

You've got the option Facebook says to use either that facebook connect button (whatever connect means nowdays with Facebook is a grey fog to me now) or just roll your own image as a button and on click call FB.Login().

So I tried the facebook button route which lead me to a complete brick wall. I mean I can get it working, auth, login, all that but I have no clue how to pass extended permissions through this entire process with the button:

window.fbAsyncInit = function () {
    FB.init({ appId: facebookApplicationID, status: true, cookie: true, xfbml: true });
    FB.Event.subscribe('auth.sessionChange', function (response) {
    ...rest of code

Ok, how do I attach extended permissions to this call? Of course you can do it easily if using Login() but why doesn't facebook show any examples or state whether the perms parameter exists in terms of placing it somewhere in this process of using that button!

related links: http://forum.developers.facebook.com/viewtopic.php?pid=248096#p248096

I don't even know why they have that button in here when it looks to me like most everyone is just simply calling Login() inside the Init. I assume then calling Login() still manages the SSO in terms of cookie, etc.?

Is anyone using this button or are you just going with FB.Login() ?

I'm running this in an iframe on our own hosted website...not embedding code into the facebook site itself (which I believe is called canvas right?).

Answer 1

RTFM. Yes, I mean friendly.

Right below the Single Sign-on section is the Account Registration Data section and I've copy-pasted this from there.

<fb:login-button perms="email,user_birthday"></fb:login-button>

Answer 2

Not exactly sure what you are trying to accomplish here. If you want to get information about your user or take actions on their behalf on Facebook, you need the user to tell Facebook it's okay to do so (this only needs to happen once) which is why you need to you call FB.login as described here: http://developers.facebook.com/docs/reference/javascript/FB.login.

FB.login(function(response) {
  if (response.session) {
    if (response.perms) {
      // user is logged in and granted some permissions.
      // perms is a comma separated list of granted permissions
    } else {
      // user is logged in, but did not grant any permissions
    }
  } else {
    // user is not logged in
  }
}, {perms:'read_stream,publish_stream,offline_access'});

They need to enter in their password to prove it's really them to authorize your app. If you need extended permissions, the second parameter in FB.login allows you to do this.

If the user is already logged in to Facebook (for example in another tab) then there's no need to log in and the login screen should be skipped. If the user is both logged in an has already authorized your app then there's no need to call FB.login.

You check check the user's login status (and permissions) with FB.getLoginStatus: http://developers.facebook.com/docs/reference/javascript/FB.getLoginStatus before deciding whether or not to call FB.login.