Managing Permissions, iOS

During basic login, your app receives access to a person's public profile. To access additional profile information or to publish content to Facebook on their behalf, you need to request additional permissions, see Permissions with Facebook Login.

Your app should manage permissions as follows:

  • Graph API Requests - Before you send Graph API requests, you should check for necessary permissions and request them if needed.

  • Missing and Revoked Permissions - Your app needs to deal with missing or revoked permissions errors from Facebook such as by asking for permissions and retrying. See Error-Handling, iOS SDK.

  • Timing Requests - You will get better conversion if you ask for permissions only when they are needed and provide functionality without requiring all permissions.

Request at Login

To ask for permissions on login with FBSDKLoginButton, set the permissions property:

let loginButton = FBLoginButton()
loginButton.permissions = ["public_profile", "email"]

If you're using a custom login button instead of FBSDKLoginButton, you can use a LoginManager to perform the login:

override func viewDidLoad() {
    super.viewDidLoad()

    ...
    loginButton.addTarget(self, action: #selector(loginButtonClicked), for: .touchUpInside)  
}
  
@objc func loginButtonClicked() {
    let loginManager = LoginManager()
    loginManager.logIn(permissions: ["email"], from: self) { result, error in
        // Process result or error
    }
}

You should check the for availability of an existing token before you call the loginManager. See Facebook Login for iOS

Check for Permissions

To check for current permissions, inspect the FBSDKAccessToken.

if ([[FBSDKAccessToken currentAccessToken] hasGranted:@"email"]) {
  // TODO: publish content.
} else {
  FBSDKLoginManager *loginManager = [[FBSDKLoginManager alloc] init];
  [loginManager logInWithPublishPermissions:@[@"email"]
                         fromViewController:self
                                    handler:^(FBSDKLoginManagerLoginResult *result, NSError *error) {
    //TODO: process error or result.
  }];
}

Declined Permissions

Inspect the FBSDKLoginResult returned to the FBSDKLoginManager callback or to the FBSDKLoginButton delegate to see if someone declined a request for permissions:

FBSDKLoginManager *loginManager = [[FBSDKLoginManager alloc] init];
[loginManager logInWithPublishPermissions:@[@"email"]
                       fromViewController:self
                                  handler:^(FBSDKLoginManagerLoginResult *result, NSError *error) {
 if ([result.declinedPermissions containsObject:@”email”]) {
   // TODO: do not request permissions again immediately. Consider providing a NUX 
  // describing  why the app want this permission.
 } else {
 // ...
 }
}];

Missing Permissions

When you make Graph API requests, you can check the NSError object to see of there are permission errors:

[[[FBSDKGraphRequest alloc] initWithGraphPath:@"me/feed"
                                   parameters:@{ @"message" : @"This is a status update" }
                                   HTTPMethod:@"POST"]
  startWithCompletionHandler:^(FBSDKGraphRequestConnection *connection, id result, NSError *error) {
    if ([error.userInfo[FBSDKGraphRequestErrorGraphErrorCode] isEqual:@200]) {
      NSLog(@"permission error");
    }
}];

For more information, see Error-Handling, iOS SDK.

Request More Permissions

Use FBSDKLoginManager to request additional permissions or request previously declined permissions using the logInWith*: methods. FBSDKLoginManager will see it's a re-request by the availability of [FBSDKAccessToken currentAcccessToken].

Revoke Permissions

You can enable someone to remove or revoke specific permissions previously granted to your app. For example your app can have a settings page where people can disable specific features.

Revoke permissions by making a call to a Graph API endpoint.

[[[FBSDKGraphRequest alloc] initWithGraphPath:@"me/permissions/email"
       parameters:nil
       HTTPMethod:@"DELETE"]
  startWithCompletionHandler:^(FBSDKGraphRequestConnection *connection, id result, NSError *error) {
  // ...
}];

Revoke Login

You can revoke all privileges for an app, by making a Graph API call that deletes all permissions. Use the code in Revoke Permissions and change the request's path to /me/permissions.


Revoking Permissions via Graph API Explorer

For testing purposes you may want to unauthorize revoke permissions without using your app. You can use the Graph API Explorer to do so.

  1. Access the Graph API Explorer.
  2. Select your App.
  3. Click Get Token > Get Access Token.
  4. Click Clear to unauthorize the selected app.

To revoke a single permission:

  1. Set the path input field to /me/permissions/{permission-name} while using the permission you want to remove for {permission-name}, for example email.
  2. Switch from GET to DELETE.
  3. Hit the Submit button.
Graph API Explorer