Facebook friend validation on an external website

Tag: facebook Author: lisheng76 Date: 2009-08-05

I'm interested in using Facebook as a way to validate that someone is my friend on an external site, and based on that, show them special content.

Inside Facebook, consider this scenario:

  1. I post photos and give permission to friends only
  2. Someone tries to view my photos by URL
  3. If that person is my friend, Facebook displays the photos.

I want to mimic this behavior on my own personal website:

  1. User follows a link to "private" content
  2. My site (either by server-side, JS, Ajax, iframe, whatever) asks Facebook if the person is logged into Facebook in their browser.
  3. If not, user is presented with a Facebook popup to log in.
  4. When the user is logged in, my site asks Facebook if they are my friend (ID coded into the site), and if so, presents them with the content

Is this possible without requiring the user to "authorize" my site or application? My only idea (based on http://wiki.developers.facebook.com/index.php/Authorizing%5FApplications) is that I could create an application for my site, and then on the external site, load my Facebook application in a hidden iframe (which would in turn load my site in an iframe) to give my site the Facebook user ID and store it in the session.

What is the best way to accomplish this?

I don't have an answer so I won't post one but I don't think this is possible.

Best Answer

Yes, this should be possible. You would have to utilize Facebook Connect. The basic flow would be something like you described above:

  1. User on your site follows a link to private content. This content is marked in your database (or otherwise) with the owner's Facebook Id.
  2. Your site uses the Facebook API to check whether the visitor is logged in to Facebook. If not, deny access.
  3. If they are logged in, you can utilize the friends.areFriends API method to compare the visitor's Facebook ID with the content owner's Facebook ID. If they aren't friends, deny access, otherwise you can show it.

Facebook Connect is actually fairly easy to implement, despite the terrible docs that are hard to understand. Once you have it up and running, it basically means that any visitor to your site that is logged in to Facebook will provide you with a session key that you can use to query Facebook for information about them.


I'm trying to decide if I can mark this as an accepted answer. I just need to know one more thing - is there any way I can execute the steps you have listed above WITHOUT prompting them with the Facebook Connect authorization popup window? (I.E., something like my IFRAME idea?)
In order to use the Facebook API to get friend information, your web visitor is going to have to log into Facebook at some point. You can't get friend info otherwise. If you were able to query Facebook without an active session it would be a serious privacy problem. Your visitors may arrive at your site already logged in to FB, in which case you don't have to prompt them. Your iframe idea would probably work in some capacity, but instead of prompting them the user would have to add your application and access it through Facebook apps, which is pretty much the same thing.
It is the case where the user is already logged into facebook about which I am curious - if they are, how can I get their ID without prompting them (if this is their first visit to my site)?