v17.0.0 Invalid access tokenString

[paulsamuels]

Checklist before submitting a bug report

• [X] I've updated to the latest released version of the SDK
• [X] I've searched for existing GitHub issues
• [X] I've looked for existing answers on Stack Overflow, the Facebook Developer Community Forum and the Facebook Developers Group
• [X] I've read the Code of Conduct
• [X] This issue is not security related and can safely be disclosed publicly on GitHub

Xcode version

15.3

Facebook iOS SDK version

17.0.0

Dependency Manager

SPM

SDK Framework

Login

Goals

Have a valid access token after logging in

Expected results

Calling AccessToken.current?.tokenString should give me a token that can be validated using the Access Token Debugger

Actual results

I get Invalid OAuth access token - Cannot parse access token from the Access Token Debugger tool

Steps to reproduce

In a project following the the basic set up tutorial run the following

FacebookLogin.LoginManager().logIn(permissions: ["public_profile"], from: self) { result, error in
    print(AccessToken.current?.tokenString)
}

Use the printed string in the Access Token Debugger https://developers.facebook.com/tools/debug/accesstoken

Code samples & details

No response

Additional details

This works as expected in 16.3.1

[Yu-sec]

俺也一样

[TatyanaLeschenok]

It looks like starting iOS 17 you are getting a valid access token only if the user agreed for the app tracking. If the user did not agree or the app has not asked yet (status not determined) then the SDK is switching to the limited login mode. Agree, It is weird that they return a malformed access token in this case.

[mmdock]

@TatyanaLeschenok so how do i proceed from there if the access token is invalid and i cant use it to get public_profile fields ?

[mjlmton]

@TatyanaLeschenok so how do i proceed from there if the access token is invalid and i cant use it to get public_profile fields ?

In the limited login mode, facebook with return an authentication token, which contains user profile. Just decode it locally.

[mmdock]

@mjlmton my application normally sends the accesstoken in SDK 16.3.1 to our backend, and from there we grap user photos for the account sign up process.

can i still send the AuthenticationToken to my backend and update my backend to be able to use it? what is in the JWT value?

[mjlmton]

@mmdock

can i still send the AuthenticationToken to my backend and update my backend to be able to use it?

Yes, send it to the backend, use the token fields after validating it.

what is in the JWT value?

It depends on what the user granted. Check the official doc limited login permissions. For user profile, we decode from authentication token and get family_name,middle_name,given_name,name,picture

[bm185178]

Having so much issue with v17. Now Privacy Manifest will block everyone's releases in May 1st, 2024.

[zhong-meta]

Hello,

In response to the upcoming changes to ATT enforcement, we made changes to the iOS SDK and the SDK no longer provides valid user access tokens in scenarios where the user opts out of ATT. The access token validation or Graph API requests may throw errors like OAuthException - “Invalid OAuth access token - Cannot parse access token”. Our recommendation is that users integrate Limited Login following the official documentation: https://developers.facebook.com/docs/facebook-login/limited-login/ios https://developers.facebook.com/docs/facebook-login/limited-login/unity/

See more details here.

[Nathan-Molby]

@zhong-meta how are we supposed to proceed if we are using a third-party login provider which doesn't support the new JWT? We've reached out but have no control over our login provider supporting this new token.

[mjlmton]

@zhong-meta hello, when we process the token fields in limited-login Authentication Token, we find the public_profile related fields are not consistent with fields from graph-api. We propose a question in the Facebook Developer Community Forum. Please help to check out.