Does facebook allow login on any unknown domain policywise?

Question

I am thinking of distributing a Flash game that can inject Facebook JS into any webpage that will host it (many free Flash game portals). I can window.open Facebook login dialog when the host page sets allowScriptAccess.

One of my ideas how to workaround the crossdomain login issue (how to get accessToken back to my Flash game hosted on unknown domain, without fighting cross domain JS and all those browser issues)

1. Flash generates unique token (tag)
2. Flash opens comet connection with the tag to our server
3. Flash opens OAUTH dialog, forwarding tag in redirect_uri to allowed domain
4. User signs in with Facebook credentials and is redirected to redirect_uri with active accessToken (CODE) and tag
5. Facebook redirects to our server passing accessToken
6. Our server grabs CODE and tag from GET params and extracts accessToken
7. Our server forwards accessToken to Flash by comet recognized by the tag
8. Finally - Flash can use facebook features with valid accessToken

As I am not a lawyer and those facebook policy docs are not understandable to me...

Question: Would facebook allow this kind of login on any domain? I feel I would be working around some security this way.

Answer 1

The facebook platform policy does not limit you from doing what you want. As long as you pass the login process through your domain (you don't have any other option) and add a "logout" link, you will be fine.