I'm currently building my own login workflow as described in https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow/.
Everything works like a charm but one tiny thing: At the moment my site redirects the user to Facebook with the scope
parameter set to only email
.
But then the user is asked to grant access not only to their public profile and their email but also to their friend list. When accepted and sent back to my site the scope
parameter now also reads email, user_friends
.
Is there a reason why this happens and is there a way to prevent this for the moment?