I'm the administrator of a small group on Facebook, it has about 40-50 members. Now I'm building a webpage for the group which will authorize users using Facebook Login (I'm using Laravel + SammyK's LaravelFacebookSDK if that matters).

Everything works fine, there is a problem though. I'd like to restrict login for only those who are members of the Facebook group. The best way would be using the /me/groups API, but that requires user_groups permission, which is restricted.

Of course there are 'hacky' solutions like making each user manually to an App Insight user or writing a script that updates a database on my server every day that contains the list of the group members, but isn't there a simple, elegant way to do this?

I highly doubt Facebook will allow me to use the user_groups permission just for this.

Well the graph API does provide this functionality as you said, you would just need user permission, not facebooks. As you could communicate the need and benefits of this permission, you would just need to write it down, somewhere close to your registration/login. You then need to specify the user_groups inside the scope variable, that your sending with the getLoginUrl Method.

$scope = ['email', 'user_status', 'user_groups']; // it is 'groups' or 'user_groups'
$login_url = $fqb->auth()->getLoginUrl('http://my-callback/url', $scope);

I did not test this code, as I do not have an installation at hand, but from everything I just read, this is how it should work.

Edit: Almost forgot, you would get the data out of your Facebook object using the following notation:

 $groups = $fqb->object('me/groups')->get();

Looks like there is only one nice way to achieve this:

Although /me/groups requires user_groups permission to retrieve groups the user is a member of, it can return groups created by the app without it (given there is a valid access token of course).

So - while it's clearly not as nice and seamless as I wanted it to be - my solution was to create a new Facebook group using the app (requires only a POST request) and move current members to this new one.

Edit: moving members is not a possibility, joining an app group is only possible programatically using the SDK. Therefore, when a user is not a member of this group, I'll prompt them to join. It means that everybody can join and I have to manually ban those I don't like instead of manually allowing those I want to, but given the low publicity, I can deal with this.

Yeah this is quite "fun" to implement. I remember being able to do it, but I don't have any specific code to help unfortunately. I can tell you, that it will require multiple tokens.

If I remember correctly, this is the logical flow:

Get the user's own token.
Then the group's token using the user's token.

And then you would control the data the individual is allowed to send to the group from within your application.