Facebook recommends that when using facebook login you should initially ask the user for as few permissions as possible, and in particular avoid requesting publish permissions until the user needs to publish something via your site - https://developers.facebook.com/docs/facebook-login/permissions/#optimizing.
We've been trying to implement this using python-social-auth's django app, but it seems that there's no way of asking for different permissions at different points in the site - the scope is set via the
SOCIAL_AUTH_FACEBOOK_SCOPE setting, and it's not possible to ask for a different scope later (e.g. excluding
SOCIAL_AUTH_FACEBOOK_SCOPE, and then asking the user to provide that permission when they try to post from your site to facebook).
Does anyone know if this is possible in the python-social-auth app, and if so, how?
(The following text was extracted from the docs at http://psa.matiasaguirre.net/docs/use_cases.html#multiple-scopes-per-provider)
At the moment python-social-auth doesn't provide a method to define multiple scopes for single backend, this is usually desired since it's recommended to ask the user for the minimum scope possible and increase the access when it's really needed. It's possible to add a new backend extending the original one to accomplish that behavior, there are two ways to do it.
from social.backends.facebook import FacebookOAuth2 class CustomFacebookOAuth2(FacebookOauth2): def get_scope(self): scope = super(CustomFacebookOAuth2, self).get_scope() if self.data.get('extrascope'): scope += [('foo', 'bar')] return scope
This method is quite simple, it overrides the method that returns the scope value in a backend (
get_scope()) and adds extra values tot he list if it was indicated by a parameter in the
POST data (
Put this new backend in some place in your project and replace the original
AUTHENTICATION_BACKENDS with this new version.
It's possible to do the same by defining a second backend which extends from the original but overrides the name, this will imply new URLs and also new settings for the new backend (since the name is used to build the settings names), it also implies a new application in the provider since not all providers give you the option of defining multiple redirect URLs. To do it just add a backend like:
from social.backends.facebook import FacebookOAuth2 class CustomFacebookOAuth2(FacebookOauth2): name = 'facebook-custom'
Put this new backend in some place in your project keeping the original
AUTHENTICATION_BACKENDS. Now a new set of URLs will be functional:
/login/facebook-custom /complete/facebook-custom /disconnect/facebook-custom
And also a new set of settings:
SOCIAL_AUTH_FACEBOOK_CUSTOM_KEY = '...' SOCIAL_AUTH_FACEBOOK_CUSTOM_SECRET = '...' SOCIAL_AUTH_FACEBOOK_CUSTOM_SCOPE = [...]
When the extra permissions are needed, just redirect the user to
/login/facebook-custom and then get the social auth entry for this new backend with
user.social_auth.get(provider='facebook-custom') and use the
access_token in it.