How can I ask for different permissions from facebook at different times?

Question

Facebook recommends that when using facebook login you should initially ask the user for as few permissions as possible, and in particular avoid requesting publish permissions until the user needs to publish something via your site - https://developers.facebook.com/docs/facebook-login/permissions/#optimizing.

We've been trying to implement this using python-social-auth's django app, but it seems that there's no way of asking for different permissions at different points in the site - the scope is set via the SOCIAL_AUTH_FACEBOOK_SCOPE setting, and it's not possible to ask for a different scope later (e.g. excluding publish_actions from SOCIAL_AUTH_FACEBOOK_SCOPE, and then asking the user to provide that permission when they try to post from your site to facebook).

Does anyone know if this is possible in the python-social-auth app, and if so, how?

Answer 1

(The following text was extracted from the docs at http://psa.matiasaguirre.net/docs/use_cases.html#multiple-scopes-per-provider)

At the moment python-social-auth doesn't provide a method to define multiple scopes for single backend, this is usually desired since it's recommended to ask the user for the minimum scope possible and increase the access when it's really needed. It's possible to add a new backend extending the original one to accomplish that behavior, there are two ways to do it.

Overriding get_scope() method

from social.backends.facebook import FacebookOAuth2


class CustomFacebookOAuth2(FacebookOauth2):
    def get_scope(self):
        scope = super(CustomFacebookOAuth2, self).get_scope()
        if self.data.get('extrascope'):
            scope += [('foo', 'bar')]
        return scope

This method is quite simple, it overrides the method that returns the scope value in a backend (get_scope()) and adds extra values tot he list if it was indicated by a parameter in the GET or POST data (self.data).

Put this new backend in some place in your project and replace the original FacebookOAuth2 in AUTHENTICATION_BACKENDS with this new version.

Defining a backend to handle the scope

It's possible to do the same by defining a second backend which extends from the original but overrides the name, this will imply new URLs and also new settings for the new backend (since the name is used to build the settings names), it also implies a new application in the provider since not all providers give you the option of defining multiple redirect URLs. To do it just add a backend like:

from social.backends.facebook import FacebookOAuth2


class CustomFacebookOAuth2(FacebookOauth2):
    name = 'facebook-custom'

Put this new backend in some place in your project keeping the original FacebookOAuth2 in AUTHENTICATION_BACKENDS. Now a new set of URLs will be functional:

/login/facebook-custom
/complete/facebook-custom
/disconnect/facebook-custom

And also a new set of settings:

SOCIAL_AUTH_FACEBOOK_CUSTOM_KEY = '...'
SOCIAL_AUTH_FACEBOOK_CUSTOM_SECRET = '...'
SOCIAL_AUTH_FACEBOOK_CUSTOM_SCOPE = [...]

When the extra permissions are needed, just redirect the user to /login/facebook-custom and then get the social auth entry for this new backend with user.social_auth.get(provider='facebook-custom') and use the access_token in it.