Imagine I have a mobile app, and then I create a new Facebook app, which I use to login users through it. In order to log into the app, users have to grant user_likes permission. Then, I can access their user_likes with a request to the facebook graph using the app_token. I've tested this. But also, I realized that only the user_likes set to "public" are shown. All the user_likes that are private or only friends, are not shown.
Is this the intented behaviour? I mean, if some user granted me access to user_likes and he didn't revoke explicitly the permission after that, should I be able to get the user_likes anyway or no?
Thanks in advance.
You need to use an User Access Token, not an App Access Token. That's what they are for.