Facebook login (Android SDK & iOS SDK & Web OAuth2) not providing email address to application when user changes email address on Facebook

[nolimitdev]

Checklist before submitting a bug report

• [X] I've updated to the latest released version of the SDK
• [X] I've searched for existing Github issues
• [X] I've looked for existing answers on Stack Overflow, the Facebook Developer Community Forum and the Facebook Developers Group
• [X] I've read the Code of Conduct
• [X] This issue is not security related and can safely be disclosed publicly on GitHub

Java version

1.8

Android version

Any

Android SDK version

16.0.0

Installation platform & version

Gradle

Package

Login

Goals

When use Facebook login I want get user email address because I have requested it and user granted it!

Expected results

Email address must be provided to app which requested it.

Actual results

Email address in not provided. Note that same bug is in Android Login and Web Login. Facebook has critical bug in OAuth2. When you add new email address (and verify it - it is required, can not be skipped) and remove origin email address from facebook options then Android/Web (OAuth2) login no more works because Facebook does not provide email address to app although app requires it and user grants it! Please note that this is not related to just my Facebook account but probably to any (tested at least using 3 different accounts). Also note that this is not related to just my facebook application but probably any. I have tested this bug on more facebook accounts (by adding new email and removing old) and tested with more applications. The result is always the same - bug is there. Note that problem is not that app receive different email what is of course expected when user changed it but app will receive NO email at all (email filed missing/empty/null).

Steps to reproduce

Use any Facebook account. Try to use Facebook Android/Web sign in to get email address. It will work fine until in your facebook acount add another email address (of course verify code sent to email), then remove origin/first email address from address. Now any app is not able to get email address although it is requested in scopes and user grants it! Also you can try remove app from https://www.facebook.com/settings?tab=applications&ref=settings and try sign in again - it also does no work. App will not receive email address. So to reproduce this bug it is very easy as described.

Code samples & details

No response

[nolimitdev]

I have also published bug here https://developers.facebook.com/community/threads/276984085174740 and also another user immediately wrote I have the same issue. Email exists, access is granted, but field is not provided.. Im wondered that this bug is not catched by Facebook itself. By our logs situation when user grants email scope but email filed is empty takes ages. Year 2015 without errors and since august 2016 many these errors including nowadays. So each user which changes email address is not able correctly login to application which requires email address.

Bug affects both Android & Web login. In case web login I can provide more details immediately...

Facebook after OAuth2 grant dialog redirects to for example https://example.com/my-redir-uri/?granted_scopes=email%2Cpublic_profile&denied_scopes&code=...&state=... as you can see there all looks good in URL - user granted access, granted_scopes contains "email" and denied_scopes is empty, but when exchanging access token for user data with request e.g. https://graph.facebook.com/v16.0/me?fields=id,email,name,first_name,last_name,gender&access_token=... email field is missing in response data!

I hope Android can be investigated by Facebook. But I can confirm users with changed email address are not able to login to our app using Android Facebook SDK because such as in web login also in android login email field is missing.

[pad01g]

I also have this issue.

(edit)

I am using Facebook as a backend identity provider of AWS Cognito. AWS Cognito user pool has an immutable option to require email address from Facebook every time user logs in. User can register to Cognito for the first time by Facebook if Facebook email address is not modified. However, when the user modifies email address on his Facebook account, the user can no longer log in to Cognito because Facebook does not provide email address anymore. Cognito user pool option is immutable and you cannot loose the condition that requires email address for login, and we end up giving up Facebook as an identity provider this time. However, we hope to add Facebook login feature if this bug is fixed.

[nolimitdev]

UPDATE: Btw I can confirm the same problem is with iOS SDK. So all 3 platforms (Android SDK & iOS SDK & Web OAuth2) are affected by some Facebook global bug.

[nolimitdev]

Is is this repository live? Why still no response from Facebook to critical bug affecting all Facebook apps and all Facebook users which in the past changed an email address? We had to set special error message for users explaining why they are not able to sign in via Facebook...

Sorry that Facebook login does not work for you! Facebook did not provided your email address although you granted this permission. This is many years old bug, it is reported to Facebook but it is ignored.

Btw in case of our apps by inspecting logs in about 5% users are not able to login due to this Facebook bug.

[Micpol]

I have the same issue in my current project - when I changed my email address I'm not able to retrive it when logging in with facebook even though I granted the permission to get it.

[nolimitdev]

I have the same issue in my current project - when I changed my email address I'm not able to retrive it when logging in with facebook even though I granted the permission to get it.

@Micpol Now imagine how many users could change email address on Facebook during several years. All those people may have problem with Facebook SignIn. Im really interesting when Facebook employees start to take care about this critical issue.