facebook-ios-sdk
facebook-ios-sdk copied to clipboard
facebook
v17.0.0 Invalid access tokenString
Checklist before submitting a bug report
- [X] I've updated to the latest released version of the SDK
- [X] I've searched for existing GitHub issues
- [X] I've looked for existing answers on Stack Overflow, the Facebook Developer Community Forum and the Facebook Developers Group
- [X] I've read the Code of Conduct
- [X] This issue is not security related and can safely be disclosed publicly on GitHub
Xcode version
15.3
Facebook iOS SDK version
17.0.0
Dependency Manager
SPM
SDK Framework
Login
Goals
Have a valid access token after logging in
Expected results
Calling AccessToken.current?.tokenString should give me a token that can be validated using the Access Token Debugger
Actual results
I get Invalid OAuth access token - Cannot parse access token from the Access Token Debugger tool
Steps to reproduce
In a project following the the basic set up tutorial run the following
FacebookLogin.LoginManager().logIn(permissions: ["public_profile"], from: self) { result, error in
print(AccessToken.current?.tokenString)
}
Use the printed string in the Access Token Debugger https://developers.facebook.com/tools/debug/accesstoken
Code samples & details
No response
Additional details
This works as expected in 16.3.1
It looks like starting iOS 17 you are getting a valid access token only if the user agreed for the app tracking. If the user did not agree or the app has not asked yet (status not determined) then the SDK is switching to the limited login mode. Agree, It is weird that they return a malformed access token in this case.
@TatyanaLeschenok so how do i proceed from there if the access token is invalid and i cant use it to get public_profile fields ?
@TatyanaLeschenok so how do i proceed from there if the access token is invalid and i cant use it to get public_profile fields ?
In the limited login mode, facebook with return an authentication token, which contains user profile. Just decode it locally.
@mjlmton my application normally sends the accesstoken in SDK 16.3.1 to our backend, and from there we grap user photos for the account sign up process.
can i still send the AuthenticationToken to my backend and update my backend to be able to use it? what is in the JWT value?
@mmdock
can i still send the AuthenticationToken to my backend and update my backend to be able to use it?
Yes, send it to the backend, use the token fields after validating it.
what is in the JWT value?
It depends on what the user granted. Check the official doc limited login permissions.
For user profile, we decode from authentication token and get family_name,middle_name,given_name,name,picture
Having so much issue with v17. Now Privacy Manifest will block everyone's releases in May 1st, 2024.
Hello,
In response to the upcoming changes to ATT enforcement, we made changes to the iOS SDK and the SDK no longer provides valid user access tokens in scenarios where the user opts out of ATT. The access token validation or Graph API requests may throw errors like OAuthException - “Invalid OAuth access token - Cannot parse access token”. Our recommendation is that users integrate Limited Login following the official documentation: https://developers.facebook.com/docs/facebook-login/limited-login/ios https://developers.facebook.com/docs/facebook-login/limited-login/unity/
See more details here.
@zhong-meta how are we supposed to proceed if we are using a third-party login provider which doesn't support the new JWT? We've reached out but have no control over our login provider supporting this new token.
@zhong-meta hello, when we process the token fields in limited-login Authentication Token, we find the public_profile related fields are not consistent with fields from graph-api. We propose a question in the Facebook Developer Community Forum. Please help to check out.
Same problem here. We are using a third party system and we are providing them the access token to keep the link between user and facebook. New token is simply rejected with an invalid token error.
Should we just prevent the facebook login if the user rejected the tracking for ATT?
@rossojr92
Should we just prevent the facebook login if the user rejected the tracking for ATT?
IMHO, It depends on how you(the third party system) use the access token.
- If you just get user basic infomation like openid, username, etc, the limited-login-token can support this. In this case, your business logic can keep going.
- But if you use the token to get more detail through graph-api, the limited-login-token doesn't support. In this case, you'd better prevent