Our Blog

Facebook Extended Permissions – they're not as bad as you think they are


Posted by
21 July 2010
15:20
1 comment

Whether you love the Facebook API, or hate it, this week Facebook will welcome its 500 millionth user, making it impossible to ignore it.

Much scrutiny of late was directed at the social media giant’s security policies (or rather, lack thereof), and Facebook responded by stepping up their approach on security, at least as far as extended permissions go.

Let’s take a step back. In the past, users, by connecting to an application, allowed Facebook applications access to an implicitly specified amount of their profile information. Now users are confronted with an explicit list of permissions the Application is asking for.

The list of permissions prompted for by Facebook

Facebook Extended Permissions (user dialog)

Of course, change is always opposed by proponents of the status quo, and the reception of Facebook’s decision to try and sort out their permissions policy is no exception.

The change has caused waves of dispair in the Facebook developer community, especially amongst members of the DIY mashup community. For instance, click here to see what a search for “extended permissions” on the Facebook Developers Forum typically returns: Click here

While the extended permissions clearly proves to be a stumbling block to many developers, it is actually one of the few well designed aspects of Facebook’s suite of API’s. (no, I’m not generally a fan of the Facebook API, quite the contrary)

Ease of Use

A comma-seperated list of extended permissions is passed as a GET variable to the Facebook login URL, redirected to when getting the user to log in. It couldn’t be more simple. For some bizarre reason, though, Facebook decided to use different variable names for the graph API and the normal API. And, as usual with Facebook, this “feature” is extremely poorly documented. For your own reference, it’s scope in the graph API, en req_perms in the normal API.

examples:
https://graph.facebook.com/oauth/authorize?client_id=YOURAPPID&scope=read_stream,publish_stream
http://www.facebook.com/login.php?api_key=YOURAPIKEY&req_perms=read_stream,publish_stream

Clarity of Permission Names

Permission names are simple and self-explanatory; you don’t have to consult the list time and again to remember them. email, for instance, gives you access to the user’s email address. publish_stream allows you to publish to a users stream, and read_stream allows you to (guess what!) read from a user’s stream.

User Friendly Dialog Descriptions

The way each permission is translated to the user in the connection dialog is also simple, complete, and makes perfect sense. It’s amazing how often big software companies fumble with this step. For instance, read_stream is translated to the user as Access posts in my news feed. Pretty self-explanatory, huh?.

Next Week: Some security concerns, and the silver lining.

Posted by

1 Trackback

  • By Twitter: big on social, small on security – RAAK on September 23, 2010 at 10:20 am

    [...] to be private. Now, a while ago I criticized Facebook’s extended permissions in one post and praised them in another for what they did wrong and what they did right, respectively. Well, Twitter [...]

Leave a Comment

Your email is never shared. Required fields are marked *