Search code examples
phpfacebook-graph-apifacebookfacebook-canvas

How to get access_token in signed_request in canvas app, if an already authorized user needs more permissions now?


Let's assume the following situation for a canvas app:

i) day 1: - Facebook app is created which needs read_stream,publish_stream,offline_access permissions. When a user comes to app for first time, authorize call redirects the user to a permission ALLOW / DENY screen , and when the user allows it redirects the user back to canvas url.

The canvas url has access_token in a signed request in its request parameters which can then be used to run the app.

No permission dialog is needed for same user coming to the app next time, as signed_request contains acess_token if the user had authorized the app in past.

The code looks like:

if(access_token received from signed request)
// do something with user information
else
// redirect user for authorization flow

ii) day 2: - Now, let's say I want to add one more permission to my list, user_birthday read_stream,publish_stream,offline_access,user_birthday` Now the following logic will have problems

  if(access_token received from signed request)
    // do something with user information  <-- the access_token does not have new permission
    else
    // redirect user for authorization flow

How can this additional permission addition be tackled efficiently, as API calls affect the performance of the app? I would not want to use something like :

https://graph.facebook.com/me/permissions?access_token=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Every time the application loads to check the permissions related to the token.

UPDATE:

Sharing a good method : Store the permission set along with the access_token with which it was received. eg. If current permissions are "basic_details-birthday-publish" (lets call it 1), store the access_token and permission set as

user  | access_token  | perm_set
Dhruv      sdfsdfsdf       1

Now,in your settings, whenever you need to ask for a new permission, create a new permission set "basic_details-birthday-publish-checkins" (lets call it 2),

then you need to show the permissions dialog only for users who have access token with perm_set = 1 and not for users who already have perm_set = 2, this will get rid of the need to check access_token of each user with "/me/permissions" api.


Solution

  • An implementation suggestion.

    Store the permission set along with the access_token with which it was received. eg. If current permissions are "basic_details-birthday-publish" (lets call it 1), store the access_token and permission set as

    user  | access_token  | perm_set
    Dhruv      sdfsdfsdf       1
    

    Now,in your settings, whenever you need to ask for a new permission, create a new permission set "basic_details-birthday-publish-checkins" (lets call it 2),

    then you need to show the permissions dialog only for users who have access token with perm_set = 1 and not for users who already have perm_set = 2, this will get rid of the need to check access_token of each user with "/me/permissions" api.