simpleauth icon indicating copy to clipboard operation
simpleauth copied to clipboard

Published 20 hours ago verified publisher icon x1ddos

Fetch email and link from Facebook.

Open paulo-raca opened this issue 8 years ago • 4 comments

AFAICT, they recently changed their API to skip these fields unless explicitly requested.

paulo-raca avatar Jul 25 '17 20:07 paulo-raca

Good catch, @paulo-raca. I think they actually did. I'm just a bit concerned with the email field. We don't request email from other providers. I did it on purpose to reduce the data to a minimum. A consumer app doesn't really need email to authenticate a user when provided with a unique ID.

WDYT?

x1ddos avatar Jul 26 '17 07:07 x1ddos

Isn't this already possible by modifying secrets.py, which users are required to do anyway?

An addition of the "email" scope to line 42 of secrets.py (template) would also request email addresses to be fetched, with the added bonus of being opt-in by the developer:

'facebook': (FACEBOOK_APP_ID, FACEBOOK_APP_SECRET, 'user_about_me email'),

I've only tested it for google and googleplus so far. Facebook doesn't support localhost test servers. The correct scope separator should be a space (see https://github.com/stevenmaguire/oauth2-uber/commit/710e38c4b45e8d54c2f0e20572d66ddb8066ad5b).

I did not find an overview of the facebook oauth2 scopes, but the scope "email" is mentioned here: https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow/#checktoken

As an aside: The privacy policy of some applications explicitly state not to fetch email addresses during authentication oauth2. Enabling it in handlers.py would make the apps violate their privacy policies, probably without the developer's knowledge.

elor avatar Jul 26 '17 07:07 elor

Exactly. one can put in secrets.py anything they want, so we can keep the default to a minimum.

@elor see the following for localhost with facebook: https://github.com/x1ddos/simpleauth#facebook. It might be a bit outdated though. Please, create a pull request if you find any mistakes.

Re: scopes. It says scope. A comma separated list of Permissions to request from the person using your app. on https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow#login.

x1ddos avatar Jul 26 '17 08:07 x1ddos

Excellent research and documentation on your part. No new pull request required, I obviously didn't RTFM and pointed to wrong information.

Thanks for the work and this easy-to-use library.

elor avatar Jul 26 '17 08:07 elor