search

facebook / facebook-ios-sdk

Used to integrate the Facebook Platform with your iOS & tvOS apps.
https://developers.facebook.com/docs/ios
Other
7.73k stars 3.5k forks source link

limited login auth token not refreshed when trackingPreference not explicitly passed in login config #2402

Open brainbicycle opened 2 weeks ago

brainbicycle commented 2 weeks ago

Checklist before submitting a bug report

Xcode version

15.1

Facebook iOS SDK version

17.0.0

Dependency Manager

CocoaPods

SDK Framework

Login

Goals

To consistently get a valid jwt token when invoking the login method in the Facebook sdk

Expected results

Anytime I invoke the Login methods on the sdk a new authentication token should be returned that can be verified and converted into a user session.

Actual results

Repeatedly receive the same authentication token even after expiry on subsequent Login invocations.

Steps to reproduce

You can reproduce this bug in the sample login app in this repo with some small changes:

  1. Configure the sample app with the client app id, secret key and url schemes
  2. Open up the LoginManagerViewController and comment out the optional trackingPreference param in the config: 
    var configuration: LoginConfiguration? {
    if let nonce = nonce, !nonce.isEmpty {
        return LoginConfiguration(
            permissions: [.publicProfile, .email],
//                tracking: trackingPreference,
            nonce: nonce
        )
    }
    else {
        return LoginConfiguration(
            permissions: [.publicProfile, .email]
//                tracking: trackingPreference
        )
    }
}
  3. Run the app, open the Login Manager Example and tap 'Invoke login method' and complete login
  4. Take note of the authentication token on the Login Details page that shows
  5. Go back
  6. Tap 'Invoke login method' again and complete login
  7. Observe that the authentication token is the exact same token on the Login Details Page
  8. Undo changes from step 2
  9. Repeat step 3-7
  10. Observe the authentication token changes with each login as expected

Code samples & details

This can be worked around by explicitly passing the trackingPreference but is quite confusing with the latest SDK version automatically opting into limited login without passing explicitly in the config. It is a risk if anything goes wrong with converting the initial login to a session users can end up locked out from Facebook login.

zhong-meta commented 2 weeks ago

Hello,

In response to the upcoming changes to ATT enforcement, we made changes to the iOS SDK and the SDK no longer provides valid user access tokens in scenarios where the user opts out of ATT. The access token validation or Graph API requests may throw errors like OAuthException - “Invalid OAuth access token - Cannot parse access token”. Our recommendation is that users integrate Limited Login following the official documentation: https://developers.facebook.com/docs/facebook-login/limited-login/ios https://developers.facebook.com/docs/facebook-login/limited-login/unity/

See more details here.

brainbicycle commented 2 weeks ago

Hello,

In response to the upcoming changes to ATT enforcement, we made changes to the iOS SDK and the SDK no longer provides valid user access tokens in scenarios where the user opts out of ATT. The access token validation or Graph API requests may throw errors like OAuthException - “Invalid OAuth access token - Cannot parse access token”. Our recommendation is that users integrate Limited Login following the official documentation: https://developers.facebook.com/docs/facebook-login/limited-login/ios https://developers.facebook.com/docs/facebook-login/limited-login/unity/

See more details here.

I understand that but it isn't the issue at hand, the authentication token returned from the SDK does not refresh unless you explicitly pass the .limited param which feels like a bug.

madhavan-sundararaj commented 2 weeks ago

Hey @zhong-meta, that is not a valid response to the issue raised.