In FBML applications, you could prompt for extended permissions like so:
Facebook.showPermissionDialog('publish_stream', callback);
This rendered a lightbox (much like FB.ui({method: 'foo', display: 'iframe'}); does).
From what I'm seeing in the docs, the only ways to prompt for more extended permissions now are to either cause a window to pop up with FB.login(), or to redirect the user to the oauth dialog full screen. We don't want to rely on the former because popup windows are unreliable, and the latter makes no sense in our user interaction flow. A lightbox is the only way that makes sense.
If the oauth dialog could be displayed as an iframe, this code would theoretically work:
FB.ui({method: 'oauth',
display: 'iframe',
access_token: 'foo',
scope: 'publish_stream'
}, callback);
But the oauth dialog only supports being displayed as "page" and "mobile".
Is there any way I have overlooked?
Think about it: It's of course not possible to use the auth dialog in an iframe, because it's a security matter.
Displaying it in a popup or redirecting to it gives the user the ability to check the sites address is actually facebook.com.
If you where to use the auth dialog in a lightbox as an iframe or similar, there would be no way for me as the user to see if the data it put into the login form (which would get displayed if I'm not logged in to Facebook at that moment) is actually sent to Facebook, or if you had just set up your own form that'll send the data to your server, because you are trying to phish for my Facebook login data …