original cynk

When you’re going through an authentication flow involving Facebook, there are three core types of flows, and these do not intersect. So, if you know what sort of flow you’re about to enter, you can be more confident about what sort of data is getting shared.

1. Login: The Facebook login flow is like OAuth in that a 3rd party site never “sees” your Facebook password- nor should it. The 3rd party site hands you off to Facebook, and Facebook checks your cookies for a valid login, then simply passes you back to the 3rd party site saying “yup, this is the person they say they are,” or “nope- not valid.” You may not even see this screen if you’re currently logged in since Facebook will see you are who you say you are, and immediately pass you back (usually in browser instead of a pop-up):

No other data is passed in this flow, such as your contacts or access to your Facebook Wall.

2. App Approval: If a 3rd party site wants to access more data about you, you have to approve it with one of these funky screens (usually a pop-up):

This screen will tell you exactly what the 3rd party site wants to do with your Facebook data. You can say allow or not allow. This is different from letting a 3rd party site access your contacts, or a simple login.

3. Contacts: If a 3rd party site ever wants to access your contacts, this is a very different auth flow, and it applies only towards accessing your contacts once. In other words, the 3rd party site- even if you’ve approved them to access your contact list once- cannot store that list, and you’ll have to auth for them to do it again. This is very different from the app approval screen which creates a permanent connection between your Facebook account and the 3rd party site (until you deactivate it). Here’s how this screen looks, generally as a pop-up:

They may seem like peculiar nuances, but I find it helpful in terms of knowing when I want to hit that “Facebook Connect” button on 3rd party sites or not. The main thing is, Facebook is protective of your data, because at the very least, their control of the social market depends on it. Keep an eye out for these screens, and you’ll know what data is being passed and what isn’t.