79

We have a browser based game which uses Facebook Connect through an AppID that we used to run the same game in a canvas until Fb Credits were introduced and we were forced to shut it down. Now, we only use the App the same way as a product page with the FbConnect integration on our own site.

Today's mail states for our case:

If your Connect app is accessing user connections or asking for additional permissions beyond age, email, and our Publishing Permissions, please remove these requests.

(This refers to this policy change: https://developers.facebook.com/blog/post/2012/09/05/platform-updates--operation-developer-love/)

We are using oauth FbConnect with scope=email,user_birthday. This is exactly what was specified in an earlier mail so it should be ok.

Once the user is authenticated, we simply call

https://graph.facebook.com/me?access_token=...

and read what comes there.

Is it possible, that we are not allowed to call the GraphAPI's me anymore? It contains info like gender, location and locale...
The Oauth data contains the fbuid, first/lastname and the email, but it does not contain the age, what we are supposed to be allowed to ask?

Do I have to call https://graph.facebook.com/me?fields=birthday explicitly?

Did anyone actually succeed in getting an "desktop web game hosted primarily off Facebook" to comply with their new policy without creating a new AppID?

Note: There have been a couple of questions about the "Sep 5th policy change" like Facebook: Notice of Violation this one and many previous closed as duplicates, but none I found so far contains questions or answers on a technical level.

mmcglynn
  • 6,876
  • 15
  • 45
  • 73
Christopher Lörken
  • 2,582
  • 16
  • 17
  • 1
    Yes, I've had the same problem as what's mentioned in your note. I made adjustments to our app and released to production on Tuesday, and I thought we were fully in line with the new requirements. But then we got another email from Facebook yesterday claiming that we're still in violation. Very hard to get details on this! – roguenet Dec 07 '12 at 19:03
  • Specifically, we currently ask for email, user_birthday and publish_stream. My understanding is that those are all allowed, but the user_birthday thing is ambiguous. The email says we're only allowed to ask for the "age" permission, but I see no reference to any separate age permission in the docs, so is that user_birthday? – roguenet Dec 07 '12 at 19:07
  • Yes, I think they meant user_birthday with "age" since it was explicitly mentioned in a previous mail. Are you accessing https://graph.facebook.com/me as well or are you just asking for the permissions in Oauth? Because if you do not access it, then I tend to assume, that they did send their follow-up mail without reason... – Christopher Lörken Dec 11 '12 at 10:57
  • I do access it - I see no other way to actually retrieve a user's birthday once you've requested those permissions. Is there an API call for that that I've missed? The way I read the email, it's the further connections (like me/feed) that we're not allowed access to anymore. – roguenet Dec 12 '12 at 22:00
  • The mail is transferred together with the facebook id in the redirect after the Oauth. Reading the birthday and email later on would be possible with calling `https://graph.facebook.com/me?fields=birthday,email` but I would really not understand that this would be allowed while calling `me`without parameters whould not be allowed. It is their decision what they send back. Anyway, we haven't heard from them since the last mail, maybe it was triggered based on false information... – Christopher Lörken Dec 14 '12 at 13:50
  • 7
    FWIW, my CEO was able to get in touch with someone at Facebook to verify that in fact our app is fine after I put in my first fix; the warning email that got out was working off of stale data. So yes, user_birthday permissions are fine. Also, you can access /me (specifying fields not required). – roguenet Dec 18 '12 at 23:04
  • I have problems, user_birthday permission are wrong, any link about this? – Robert Jan 20 '14 at 20:05

1 Answers1

1

Maybe you could skip the "Website with Facebook Login" part in developer settings and only provide your game directly via canvas. (eg. apps.facebook.com/logogame). that's what "on facebook.com" is all about, I guess.

user26
  • 69
  • 1
  • 1
  • 6