Great job guys. As we are building our core app, this is something that we have been committed to do, from day one. I am real glad that we have some precedence now to follow. We believe that an app should ask for the least amount of profile data as possible to do what it needs to do. And if that changes as the app grows, then it should request for additional permission as its defined in a granular manner. Offline Access is a bad idea especially when 99% of apps are those you play with for two days and never ever use again.
Once again, thank you. We look forward to doing the same and giving our users control of their privacy and their data.
Good question. There's a few things going on here. If a brand new user comes and you store his initial permissions and also setup the web hook to get updates on user permission changes (such as if she removes offline_access from facebook.com/settings/?tab=applications) then you can just query your backend (which would store this somewhere). Then you won't ever have to do this.
What if, for example, this is a pure client side application that doesn't store anything in a backend database? Everytime a user comes to your site, you can check to see if local storage has anything sure, but if they're on a new computer or have cleared their storage, you're in the dark.
Oh, an edge case: If facebook doesn't call your web hook to update your db on the newest permissions before a user revists your site, you may have some bad consequences.
Another edge case: say you have millions of users, only 1000 regularly visit the site. You would have webhooks for a million users updating your backend, rather than just confirming permissions with facebook whenever they arrive to your site. The hop to facebook is probably just as fast, if not faster, than checking in with your own backend. Let Facebook take the brute of the traffic ;)
As a facebook hacker, I'd be interesting in seeing what the instructional popups you made look like.
I think asking for the bare minimum as you need it is absolutely the way to go as tons of people bounce out of apps that need all kinds of permissions before they get to even see the app. I get sick of seeing apps that want offline publish access before I even know what the app is because the developers are lazy and just request all permissions available.
I'll definitely be able to show you soon. We're finishing up a few final touches on our beta, but signup now and we'll send you a beta invite asap! We should be ready on Monday. http://feedtopic.com has a signup on the beta roadblock.
In the meantime, I can give you a quick description of what we have going on: each link that requires an extra permission not asked up front has a listener that will check what permissions are available. If it's missing a permission, we actually trigger a Facebox (from @defunkt's facebook lib). The Facebox defaults are really clean. Light overlay, slight shadow, nothing fancy. We put in different messages for different actions, one for example: "Yes you can like someone's post from FeedTopic! We need a new permission from Facebook to do this for you. Click the 'Add Permission' button to bring up Facebook's Permissions page". We have a button that looks SUPER clickable, like if you didn't click it you'd feel horrible because it has nice css gradients and looks like it's 3D. Underneath we have a message that says: "We won't publish anything without your direct permission to any part of Facebook, promise". Once you click the button, it will show you the FB permission prompt. yes, it's multiple steps, but it's clean and makes people feel really confident. BTW, liking something on feedtopic is probably the last thing people are going to the site for ;) It's just a small piece of info I can give away for now before the launch.
Once again, thank you. We look forward to doing the same and giving our users control of their privacy and their data.