Facebook connect just for registered members

[Owdy]

Feature request. I wanna allow my users to use facebook connect but i dont wanna allow new registerations with that. That just because there are some profile fields what are mandatory in registeration in my site and Facebook connect overrides them.

[Wolfie]

I've been making this same request for awhile, where I can allow FBC, but only for current members. Just for me, the important factor is in having a real email address instead of a facebook one which would then redirect to them.

[bfarber]

It is against Facebook's rules. As we've explained.

You have 2 general options

1) Allow Facebook Connect. Their guidelines state that if you allow FBC, you must make it a seamless "login" process. You cannot ask for additional information during the process, nor can you treat the user using Facebook Connect differently than a locally registered/logged in use.

2) Don't use FBC. Then you don't have to adhere to their rules.


Unfortunately, you can't pick and choose which FBC guidelines you're going to follow. Either you have to follow them all, or don't use their API. :)

[Owdy]

Okay, i take option 2 then.

[Wolfie]

1) Allow Facebook Connect. Their guidelines state that if you allow FBC, you must make it a seamless "login" process. You cannot ask for additional information during the process, nor can you treat the user using Facebook Connect differently than a locally registered/logged in use.

Based on their new rules (guidelines), can't you require that they give permission for you to know their true email address?

[Mat Barrie]

Based on their new rules (guidelines), can't you require that they give permission for you to know their true email address?

No. You can only require they provide permission to obtain their proxy email address.

[bfarber]

I'm not 100% up to date on their guidelines (since Matt handles all the FBC stuff). I don't think you can require it, but I think it is possible to retrieve it if the user allows.

[Mat Barrie]

Not the real email. Facebook never gives that out, only the proxy email.

[Wolfie]

They've updated their guidelines so that it can be given with the members permission. I'm just wondering if a site can require the permission or not.

[Mat Barrie]

The site may not require any permission.

See the policies, section V.3

[Wolfie]

Well that's stupid. That's like a major opening for spammers to be able to circumvent security measures. Follow their rules, does it permit obtaining their email address temporarily (so that it can be compared to an internal search) to prevent someone from registering multiple accounts, circumventing bans, etc?

[Mat Barrie]

No. You may not subject any member who comes in via Facebook to any further scrutiny. Once they click Connect, that's it. You're not allowed to check anything.

[Wolfie]

So basically, FaceBook is saying, "You may use our connection system so long as you surrender any form of security or protection against abuse..."

That's going to come back to bite them in the rear end when their user base starts loading up with spammers using their service to get around security measures of other sites.

[Mat Barrie]

What they're essentially saying is "you may use Connect, provided you trust that our security is up to the task of preventing undesirables getting through".

Annoyingly, you can't even force a Connect member to read your Terms of Service. Facebook insists that if you Connect with a site you agree with that site's ToS, but the site isn't allowed to make you read it - which I would assume means you can plead ignorance if you violate it in some way.

[bfarber]

I believe you can give a link to your TOS when setting up Facebook Connect, however, and Facebook supplies that link on the "do you wish to allow site x to access your info" screen.

Facebook does allow you to retrieve the real email address now, but the user has to allow it. Will see if Matt can clear this up a little, since he knows more about it.

[Matt]

Just to clarify:

Facebook Connect guidelines want you to click their button, perform any Facebook log in and then appear as a member on the site. You may not request any additional information during the "log in" process and you cannot limit it to current members. It may be called "Facebook Connect" but it is not really designed to "connect" a forum account to a Facebook account.

Any sites that do perform additional tasks have a special arrangement with Facebook. I believe Digg.com asks for a display name during the "log in" process but they can do that as they have a special arrangement.

Facebook have recently introduced a new permission mask for requiring the user's real email address. As with all permission requests, a dialogue box appears asking the user to grant permission. They can decline if they wish and you will get their proxy email address. Assuming they accept, then the real email address is stored. IP.Board 3.1 makes use of this.

Existing connected members will need to revoke permission for emails and then re-accept the new one. I have yet to figure out an elegant way of doing that.

[philblair99]

It's a shame that it can't be limited to current members only, as that's all I wanted it for.
May give it a try anyway though when 3.1 is out.

[Wolfie]

You may not request any additional information during the "log in" process and you cannot limit it to current members.

Just wondering, but what if you are no longer accepting new registrations? Does that mean that if you use FBC, that you must accept new members despite this?

[bfarber]

You have to change how you look at FBC. Facebook wants you to consider when someone uses FBC that they are logging in, NOT registering. Essentially, you have your membership database, plus Facebook's. Anyone that is a Facebook user doesn't register at your site, they login to your site, using their existing Facebook login.

[Kovy]

Just testing the Facebook Connect on this site :) - It saves joining up to several forums you be on, Facebook Connect allows (non techies) who only go on Facebook and nothing else to feel safer around other sites.

Some internet users might use facebook but nothing else. I have logged into here using FC - now am I a member of the forum or am I just a facebook user on the forum?

[Mat Barrie]

Both, Kovy. IPB copied over some details when you signed up (your name which is your default IPB display name, your Facebook proxy email address, birthday info, display picture, etc) and will keep syncing those over from FB.