how to force OAuth dialog to re-prompt the user for permissions even if already given

Asked 21/9, 2011 at 2:42 Answered 23/9, 2018 at 0:47

The facebook OAuth dialog redirects back to the provided redirect_uri without prompt if the user has previously approved access to the application and provided all permissions ...

I want to overwrite that behavior and force the dialog to ask the user again for permissions ...

wonder if this can be done, since the documentation provide no help on whether this is doable or not.

Smarten answered 21/9, 2011 at 2:42 Comment(1)

update: it seems there is no real solution to this, facebook simply doesn't provide this functionality ... – Smarten 10/3, 2012 at 8:40

I know this is an old post, but I just came across it and since I found the correct answer elsewhere, I thought I'd post it here.

You can send the auth_type=reauthorize.

AFAIK, auth_type has the following options: * reauthorize always has for permissions * rerequest for declined/revoked permissions * reauthenticate always as user to confirm password.

Spinode answered 23/9, 2018 at 0:47 Comment(1)

unfortunately reauthorize doesn't seem to work for facebook.com/dialog/oauth (e.g. without using the JS SDK) – Stambul 15/4 at 22:33

As @Igy has already mentioned, you can revoke user access by issues DELETE request to me/permissions endpoint. The rest is simple:

FB.api('me/permissions', 'delete', function (r1) {
    // FB.login relies on FB.getLoginStatus.
    // Force reloading the login status.
    FB.getLoginStatus(function (r2) {
        FB.login(function (r3) {});
    }, true);
});

Objurgate answered 26/10, 2013 at 20:9 Comment(1)

This is the genuine answer! It looks the facebook SDK keep the user in memory so the next call to FB.login() is incorrect. Forcing it to call getLoginStatus clear that and then logout actually works! Thank you @Objurgate – Coinsurance 5/4, 2019 at 10:47

Why would you want to do this? Getting users past the permissions stage is a critical step that often loses you a lot of traffic. When the pop up is shown, is managed completely by Facebook anyway, so it's not possible to ask someone to accept permissions when they have already done it. The only time they would see the request again is if they first revoke the permissions, or if your app increases the level of access being requested.

Argal answered 21/9, 2011 at 7:23 Comment(5)

I want to do it for my own personal sanity as I'm developing, also as an option for some users, like the ones who are really concerned about security and would like to see every step, also for the older generation that are barely familiar enough with facebook itself .. – Smarten 28/9, 2011 at 4:16

also, I'm using facebook as a login replacement, every other service provider that offers the same feature, all prompt the user again to approve and login (twitter, linkedin) facebook just breaks the rule. – Smarten 28/9, 2011 at 4:17

ok. What you actually mean then is that you want to re-prompt for authentication every time, not for permissions? They are very different things. You can read on re-authentication using the info here: developers.facebook.com/docs/reauthentication – Argal 28/9, 2011 at 7:18

I mean exactly what the Twitter Authenticate flow works as, the Reauthentication you pointed out simple prompts the user to login to facebook every time, I just want the user to be prompted with the permissions screen everytime ... – Smarten 11/10, 2011 at 20:56

ok, well you cannot do that. Facebook have complete control over this, so if a user has already agreed to let an app use their data, they don't repeatedly ask each time they try to use the app. – Argal 12/10, 2011 at 11:24

You can call auth.revokeAuthorization. Don't worry that it says the rest api is deprecated as there currently isn't a graph api method for this and I don't think they will remove it until there is one.

Opinicus answered 21/9, 2011 at 2:57 Comment(2)

that would mean i have to know who the user is before calling the revoke resource, which doesn't work, since I'm using this as a login replacement... – Smarten 28/9, 2011 at 4:18

The graph API equivalent of this is a DELETE request to /USER_ID/permissions with the user or app access token – Endarch 10/2, 2012 at 16:58

I haven't used OAuth with facebook API but if I understand your question properly this is one way you can do it:

without prompt if the user has previously approved access

When facebook redirects back the user to your application (redirect_uri), you can see that the authorization grant is missing and by that you can judge that the user did not approve your request.

force the dialog to ask the user again for permissions

Then you can make another request for new token, but with limited token permissions (limited scope access, because obviously the user did not approve your previous scope request) and the user will be asked again to approve your request with the new set of permissions. This is the way I would do it, and I think this is the way that most of the application do it when the user first rejects their request.

You request a lot of user data - the user denies and is redirected back
You request limited user data - the user may approve this time or can reject again
You can repeat this process as long as you don't think your users will be annoyed :)

Apocarpous answered 21/9, 2011 at 6:45 Comment(0)

Recommended topics

Hot tags