facebook
limited login auth token not refreshed when trackingPreference not explicitly passed in login config
Checklist before submitting a bug report
- [X] I've updated to the latest released version of the SDK
- [X] I've searched for existing GitHub issues
- [X] I've looked for existing answers on Stack Overflow, the Facebook Developer Community Forum and the Facebook Developers Group
- [X] I've read the Code of Conduct
- [X] This issue is not security related and can safely be disclosed publicly on GitHub
Xcode version
15.1
Facebook iOS SDK version
17.0.0
Dependency Manager
CocoaPods
SDK Framework
Login
Goals
To consistently get a valid jwt token when invoking the login method in the Facebook sdk
Expected results
Anytime I invoke the Login methods on the sdk a new authentication token should be returned that can be verified and converted into a user session.
Actual results
Repeatedly receive the same authentication token even after expiry on subsequent Login invocations.
Steps to reproduce
You can reproduce this bug in the sample login app in this repo with some small changes:
- Configure the sample app with the client app id, secret key and url schemes
- Open up the LoginManagerViewController and comment out the optional trackingPreference param in the config:
var configuration: LoginConfiguration? {
if let nonce = nonce, !nonce.isEmpty {
return LoginConfiguration(
permissions: [.publicProfile, .email],
// tracking: trackingPreference,
nonce: nonce
)
}
else {
return LoginConfiguration(
permissions: [.publicProfile, .email]
// tracking: trackingPreference
)
}
}
- Run the app, open the Login Manager Example and tap 'Invoke login method' and complete login
- Take note of the authentication token on the Login Details page that shows
- Go back
- Tap 'Invoke login method' again and complete login
- Observe that the authentication token is the exact same token on the Login Details Page
- Undo changes from step 2
- Repeat step 3-7
- Observe the authentication token changes with each login as expected
Code samples & details
This can be worked around by explicitly passing the trackingPreference but is quite confusing with the latest SDK version automatically opting into limited login without passing explicitly in the config. It is a risk if anything goes wrong with converting the initial login to a session users can end up locked out from Facebook login.
Hello,
In response to the upcoming changes to ATT enforcement, we made changes to the iOS SDK and the SDK no longer provides valid user access tokens in scenarios where the user opts out of ATT. The access token validation or Graph API requests may throw errors like OAuthException - “Invalid OAuth access token - Cannot parse access token”. Our recommendation is that users integrate Limited Login following the official documentation: https://developers.facebook.com/docs/facebook-login/limited-login/ios https://developers.facebook.com/docs/facebook-login/limited-login/unity/
See more details here.
Hello,
In response to the upcoming changes to ATT enforcement, we made changes to the iOS SDK and the SDK no longer provides valid user access tokens in scenarios where the user opts out of ATT. The access token validation or Graph API requests may throw errors like OAuthException - “Invalid OAuth access token - Cannot parse access token”. Our recommendation is that users integrate Limited Login following the official documentation: https://developers.facebook.com/docs/facebook-login/limited-login/ios https://developers.facebook.com/docs/facebook-login/limited-login/unity/
See more details here.
I understand that but it isn't the issue at hand, the authentication token returned from the SDK does not refresh unless you explicitly pass the .limited param which feels like a bug.
Hey @zhong-meta, that is not a valid response to the issue raised.
