Why does Facebook login ask for different (more) scopes?

Question

I want to trigger a Facebook login and I am accessing this URL:

https://www.facebook.com/dialog/oauth?client_id=398192236928167&scope=user_photos&response_type=token&redirect_uri=http://www.useralbum.com/callback.html

I am specifying scope=user_photos but the permission popup says:

App_name would like to access your public profile, friend list and photos

and it used to just say

would like to access your photos.

What am I doing wrong?

Answer 1

You are doing nothing wrong, the message

App_name would like to access your public profile, friend list

appears along with your permission because Facebook adds the basic Public Profile and Friend List permission to all the apps as a default, even if you are not asking for any permissions. And you cannot stop Facebook from adding these basic permissions so that you may have permission request like

App_name would like to access your photos.

Edit: if you request permission without defining any scope, accept it, then request another one with scope=user_photos, then it will just say App_name would like to access your photos.