auth icon indicating copy to clipboard operation
auth copied to clipboard

Published 20 hours ago verified publisher icon supabase

Facebook Social Auth signInWithIdToken needs custom parser

Open kelvanb97 opened this issue 1 year ago • 25 comments

Bug Report

Describe the bug

Experiencing issues with supabase.auth.signInWithIdToken via the react-native-fbsdk-next lib, custom auth flow, and web based approach for authentication. All errors point in the same direction:

ERROR : {"name":"AuthApiError","message":"Bad ID token","status":400}

To Reproduce

Steps to reproduce the behavior:

  1. Implement supabase.auth.signInWithIdToken with react-native-fbsdk-next according to Supabase docs.
  2. Attempt to log in using Facebook credentials.
  3. In a separate scenario, follow the WebBrowser-based authentication approach.
  4. Observe the errors in both methods.

Expected behavior

Successful authentication without errors using both the native and web approaches for logging in with Facebook credentials.

Screenshots

N/A

System information

N/A

Additional context

The issue seems related to handling JWT structures and server-side errors during the authentication process. Investigations into Supabase's handling of generic ID tokens and discussions on platforms like Reddit suggest this might be an upstream error with Supabase. Looking at the function ParseIDToken found at auth/internal/api/provider/oidc.go it looks like the same pattern needs to be applied to Facebook Id tokens.

Suggested fix

Add a new function parseFacebookIdToken to ParseIDToken that is specifically designed for FB JWT tokens.

kelvanb97 avatar Apr 09 '24 17:04 kelvanb97

same android only

nikitapilgrim avatar May 21 '24 21:05 nikitapilgrim

I'm also running into this trying to transition from Firebase auth to Supabase auth. It seems that Facebook auth is not usable with Supabase at the moment? This is a critical blocker for us. @hf @kangmingtay is this easily resolvable?

evelant avatar May 23 '24 20:05 evelant

Hey,

Thanks everyone. Would anyone be able to supply us the rough structure of a JWT issued by Facbeook auth? With sensitive fields omitted of course.

J0 avatar May 27 '24 14:05 J0

Facebook encrypts their token. AFAIK there's no way to decode it. Looking at their docs it's unclear how to get a plain JWT from them. https://developers.facebook.com/docs/facebook-login/guides/access-tokens

evelant avatar May 27 '24 15:05 evelant

Supabase auth may need to take the encrypted facebook token and call a facebook endpoint to validate it then mint a jwt for the user based on that.

evelant avatar May 27 '24 15:05 evelant

Same issue here. without facebook login integration working, we can't use supabase.

max-win avatar Jun 03 '24 08:06 max-win

Facing the same issue when trying to implement Facebook Limited Login in an app.

token = AuthenticationToken.getAuthenticationTokenIOS() from react-native-fbsdk-next

Running supabase.auth.signInWithIdToken({ provider: "facebook", token: token, nonce: "xxxx" }) returns error [AuthApiError: Bad ID token]

JWT structure of token is below @J0. I believe it's valid and just unsupported on supabase side?

{
  "iss": "https://www.facebook.com",
  "aud": "1891562374xxxxxx",
  "sub": "7897141157xxxxxx",
  "iat": 1719494213,
  "exp": 1719497813,
  "jti": "xxxxxxxxx",
  "nonce": "xxxxxx",
  "at_hash": "xxxxxxxx",
  "given_name": "Name",
  "family_name": "Surname",
  "name": "Name Surname",
  "picture": "https://platform-lookaside.fbsbx.com/platform/profilepic/?xxxx"
}

dimatarasenko1 avatar Jun 27 '24 13:06 dimatarasenko1

@dimatarasenko1 Unfortunately that will only work on iOS. AFAIK you can't use limited login on Android.

evelant avatar Jun 27 '24 15:06 evelant

To be clear that's running on iOS via react-native-fbsdk-next, executing AuthenticationToken.getAuthenticationTokenIOS() and returning a JWT token all ok on the Facebook side @evelant

The error is thrown when passing this token to supabase.auth.signInWithIdToken

dimatarasenko1 avatar Jun 27 '24 16:06 dimatarasenko1

Yes I'm aware, I was just pointing out that even if Supabase fixes parsing of that token it won't help with Android at all because you can't get a limited login token on Android.

evelant avatar Jun 27 '24 21:06 evelant

+1

oddanderson avatar Jul 23 '24 04:07 oddanderson

I'm also running into this trying to transition from Firebase auth to Supabase auth. It seems that Facebook auth is not usable with Supabase at the moment? This is a critical blocker for us. @hf @kangmingtay is this easily resolvable?

Hey @evelant,

Have you found a workaround for this issue? I am also trying to transition from Firebase Auth, and this is completely blocking me.

f-bog avatar Jul 31 '24 04:07 f-bog

Hi everyone, we're aware of this problem with signInWithIdToken and facebook - currently, the team is stretched extremely thin on bandwidth and it will be quite some time before we're able to investigate the root cause and push a fix for it.

We do welcome any contributions to attempt to fix this issue and we'll be more than happy to help review it:

  • Entrypoint for signInWithIdToken flow (https://github.com/supabase/auth/blob/master/internal/api/token_oidc.go#L120)
  • Where we handle parsing the id tokens for identity providers (https://github.com/supabase/auth/blob/6ccd814309dca70a9e3585543887194b05d725d3/internal/api/provider/oidc.go#L55-L70)
  • Facebook uses the parseGenericIDToken method, which may have some issues with the underlying spec used by facebook.

Here are some useful references sent by another user in an internal support ticket:

  1. Facebook's OpenID configuration endpoint: https://www.facebook.com/.well-known/openid-configuration/
  2. Token endpoint: https://graph.facebook.com/v17.0/oauth/access_token
  3. Possibly a useful link to why facebook's OIDC endpoint doesn't work for the generic use case: https://stackoverflow.com/questions/76473817/is-it-possible-to-use-facebook-limited-login-via-openid-connect-with-pac4j

kangmingtay avatar Aug 01 '24 18:08 kangmingtay

Take your time. meanwhile,we are replacing supabase with something else.

On Fri, Aug 2, 2024 at 12:55 AM Kang Ming @.***> wrote:

Hi everyone, we're aware of this problem with signInWithIdToken and facebook - currently, the team is stretched extremely thin on bandwidth and it will be quite some time before we're able to investigate the root cause and push a fix for it.

We do welcome any contributions to attempt to fix this issue and we'll be more than happy to help review it:

  • Entrypoint for signInWithIdToken flow ( https://github.com/supabase/auth/blob/master/internal/api/token_oidc.go#L120 )
  • Where we handle parsing the id tokens for identity providers ( https://github.com/supabase/auth/blob/6ccd814309dca70a9e3585543887194b05d725d3/internal/api/provider/oidc.go#L55-L70 )
  • Facebook uses the parseGenericIDToken method, which may have some issues with the underlying spec used by facebook.

Here are some useful references sent by another user in an internal support ticket:

  1. Facebook's OpenID configuration endpoint: https://www.facebook.com/.well-known/openid-configuration/
  2. Token endpoint: https://graph.facebook.com/v17.0/oauth/access_token
  3. Possibly a useful link to why facebook's OIDC endpoint doesn't work for the generic use case: https://stackoverflow.com/questions/76473817/is-it-possible-to-use-facebook-limited-login-via-openid-connect-with-pac4j

— Reply to this email directly, view it on GitHub https://github.com/supabase/auth/issues/1522#issuecomment-2263696801, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAENN3NAJX2OCKRUYP6FDITZPJ4THAVCNFSM6AAAAABF66LMRSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENRTGY4TMOBQGE . You are receiving this because you commented.Message ID: @.***>

max-win avatar Aug 02 '24 05:08 max-win

Is there any update on this? Are there alternative ways to use Facebook or is this a total blocker?

stephenlindauer avatar Aug 26 '24 17:08 stephenlindauer

It's wild that there's no fix almost 6 months later.

lewisdonovan avatar Sep 30 '24 13:09 lewisdonovan