email not returned in facebook user access token validation

Question

the front end of my application is doing facebook login. it gets the auth token back and submits it to the server. the server then calls the graph url with the token but all the server gets back is the name and id. i'm manully calling the curl like shown:

curl -v https://graph.facebook.com/me?access_token=...

but the response i get is just name and id.

{"name":"Henry Robers","id":"10155954328696972"}

my application needs an email in order to create an account and send welcome letter and such so i'm stuck. any help is much appreciated.

Email is entirely up to the user, and optional in the latest iteration of facebook connect. If you must have it, then you will run into troubles when users elect NOT to share their email. — IncredibleHat, Nov 30 '17 at 19:44
@ceejayoz Ok cool, thanks for your vigilance. I'm not familiar with the API so wasn't sure how secret that bit was supposed to be. — Alex Howansky, Nov 30 '17 at 19:46
@AlexHowansky Very secret, although thankfully this one had very minimal permissions. :-) — ceejayoz, Nov 30 '17 at 19:47
i was under the impression my front end developer was using a test account so didn't think it was a security issue. now i see he was using his own account — radamnyc, Nov 30 '17 at 19:59
@AlexHowansky A `DELETE` request to `me/permissions` with a valid access token invalidates that token. You can do it at https://developers.facebook.com/tools/explorer/ quickly. — ceejayoz, Nov 30 '17 at 19:59
@ceejayoz I meant, how did you have *permission* to do that? Took me a few minutes to realize, oh duh, YOU HAVE THE TOKEN, heh. I need a nap. :) — Alex Howansky, Nov 30 '17 at 20:03
_“my application needs an email”_ - then be aware that you simply won’t get one from many users ... if they signed up to Facebook using their mobile, they might not have any email address set in their profile. — CBroe, Dec 01 '17 at 08:18

score 2 · Answer 1 · answered Nov 30 '17 at 19:44

2

Your application must have requested, and the user must have approved, the user_email permission. (Since you posted an active access token, I checked and you do appear to have done that.)
The API responds with a very small subset of fields by default. Adding fields=foo,bar to your call, like so, https://graph.facebook.com/me?fields=id,name,email&access_token=... should get that info (assuming you did #1).
Don't share access tokens publicly, like you did here. I have invalidated it for you, but in many cases these will allow private data to be accessed, as well as posting on the user's behalf. Treat them as critical, private info like passwords.

answered Nov 30 '17 at 19:44

ceejayoz

176,543
40
303
368

i have tried your example but i still only get name and id: curl -v https://graph.facebook.com/me?fields=id,name,email&access_token= {"name":"Henry Robers","id":""} – radamnyc Nov 30 '17 at 20:02
@radamnyc When you publicly shared the access token, I tested it and was able to get the email address. However, since I invalidated that token and its permissions, you may need to re-request the `user_email` permission now. – ceejayoz Nov 30 '17 at 20:04
thanks for your help, is that something that EACH user must say yes to or is that something that we set up for our application? – radamnyc Nov 30 '17 at 20:07
@radamnyc Each user must be asked for and accept the permission via the OAuth flow. Some will reject it, and remember also that some Facebook users **don't have an email address** - Facebook permits phone-number-only signups as well. As such, your application will need to detect this and prompt the user to reapprove the permission or ask for their email in those cases. – ceejayoz Nov 30 '17 at 20:08
ok, so we need to figure out someway around if someone authenticates with facebook but doesn't allow us to get the email – radamnyc Nov 30 '17 at 20:10
Correct. You can check `me/permissions` for the `user_email` permission to see if they granted it. – ceejayoz Nov 30 '17 at 20:12

email not returned in facebook user access token validation

1 Answers1