Handling Declined Permissions

When people create accounts or log into your app using Facebook Login, they have the opportunity to grant the permissions you request. But people also have an opportunity to decline all permissions except their public profile. People may choose to do this if they feel uncomfortable sharing this information with your app, or they don't understand how that information will be used to enhance their experience.

When people choose to decline permissions, its important your app respects their choice and still provides a great experience for people.

In general, your app may react in one of three ways:

  1. Continue on without the information
  2. Explain why you need the information and reprompt for it
  3. Collect the information yourself

Continue Without the Information

In some cases, a certain requested permission may not be required for your app to function. In this case, the simpliest thing to do is to respect permission decline and continue to lead them into the app.

In the example below, Flick Finder might be able to provide enhanced movie recommendations if it had access to the user_likes permission. But since the person declined that permission, Flick Finder just presents more generic recommendations.

This is the simplest option, and provides a great respectful experience to people who choose to decline certain permissions.

Explain Why and Reprompt

People may decline a permission because they don't understand why your app needs that information. In this case, your app could display a dialog explaining why you need the information and how it'll be used to enhance the experience.

In the example below Flick Finder displays a dialog explaining that with an email address, the app can send you updated when new movies become available. The “Add Email” button takes the person back to the Facebook Login flow where they can grant the email permission.

Note that in this example, the person still has the opportunity not to grant the email permission.

This strategy can be used for permission which is critical or highly desirable for the functionality of your app.

Collect the Information Yourself

Some pieces of information may be simple enough to collect for yourself.

In this example, Flick Finder wants to collect a person's birthday so it can recommend age-appropriate movies. If a person has declined to share their birthday when they logged in with Facebook, Flick Finder can still create a place to collect the information inside the app, separate from the Facebook Login flow. We recommend doing this after a person has had some time to familiarize themselves with your app, so they have a better understanding of how the permission will improve their experience.

Examples of information which might be collected this way includes user_hometown, user_location, user_birthday or even email.

Detecting Declined Permissions

When people decline permissions as part of a Facebook Login flow, we make it easy for your app to detect this and react using one of the strategies outlined above.

Android SDK

On Android, you can call the getDeclinedPermissions method on the AccessToken object in the Facebook SDK for Android.

iOS SDK

On iOS, you can call the [FBSDKAccessToken declinedPermissions] method in the Facebook SDK for iOS.

JavaScript SDK

To detect declined permissions, you can call the permissions edge on the User object of the Graph API. You can collect any declined permissions by iterating through the response:

FB.api('/me/permissions', function(response) {
  var declined = [];
  for (i = 0; i < response.data.length; i++) { 
    if (response.data[i].status == 'declined') {
      declined.push(response.data[i].permission)
    }
  }
  alert(declined.toString())
});

API

To detect declined permissions, you can call the permissions edge on the User object of the Graph API:

GET https://graph.facebook.com/me/permissions?access_token=USER_ACCESS_TOKEN

which yeilds a response of the form:

{ "data": [
    {
      "permission": "user_birthday",
      "status": "granted"
    },
    {
      "permission": "public_profile",
      "status": "granted"
    },
    {
      "permission": "email",
      "status": "declined"
    }
]}

This tells your app that the person granted the user_birthday and public_profile permissions, but chose to decline the email permission.

Summary

Elegantly handling declined permissions is an important part of providing a great Facebook Login experience to people.

Implementing one of the above strategies will ensure the people who download and install your app are able to log in without encountering disruptive and frustrating experience which affect your app's reputation and app store rating.