Unable to get token_for_business in case user opts out of ATT

[taozhang159]

Checklist before submitting a bug report

• [X] I've updated to the latest released version of the SDK
• [X] I've searched for existing GitHub issues
• [X] I've looked for existing answers on Stack Overflow, the Facebook Developer Community Forum and the Facebook Developers Group
• [X] I've read the Code of Conduct
• [X] This issue is not security related and can safely be disclosed publicly on GitHub

Xcode version

15.3

Facebook iOS SDK version

17.0.1

Dependency Manager

CocoaPods

SDK Framework

Login

Goals

Using Facebook that limit login, when I reject the ATT pop-up window for ad tracking, I hope to get the token_for_business corresponding to the user.

Expected results

Using Facebook that limit login, when I reject the ATT pop-up window for ad tracking, I hope to get the token_for_business corresponding to the user.

Actual results

Version:

Upgrade Facebook version to 17.0.1

Scenes:

1. Traditional login mode,

1.1 Start the application, select the Deny Authorization ATT pop-up window, click Facebook to log in, you will enter the limited.facebook.com website, obtain the accessToken, and then request https://graph.facebook.com/v19.0/xx?access_token=xx&fields =token_for_business

{ "error": { "message": "Invalid OAuth access token - Cannot parse access token", "type": "OAuthException", "code": 190, "fbtrace_id": "A3YYkEZkifmBsHd3qLtZ9ER" } }

2. Restrict login mode

2.1 Start the application, select the Deny Authorization ATT pop-up window, click Facebook to log in, you will enter the limited.facebook.com website, and the accessToken obtained is nil. Another OIDC-Token has a value, but token_for_business cannot be obtained through OIDC.

in conclusion:

I want to know how to correctly obtain token_for_business after rejecting the ATT pop-up window.

Steps to reproduce

No response

Code samples & details

// Traditional login code

[self.fbloginMangager logInWithPermissions: [self getFacebookPermissions] fromViewController:nil handler:^(FBSDKLoginManagerLoginResult *result, NSError *error) {
    if (error) {

    }else if (result.isCancelled) {

    }else {
        NSString *accessToken = result.token.tokenString? : @"";
    }
 }];

// limit login code

FBSDKLoginConfiguration *configuration =
  [[FBSDKLoginConfiguration alloc] initWithPermissions:@[@"public_profile"]
                                              tracking:FBSDKLoginTrackingLimited
                                                 nonce:@"123"];
[self.fbloginMangager logInFromViewController:nil configuration:configuration completion:^(FBSDKLoginManagerLoginResult * _Nullable result, NSError * _Nullable error) {
    if (error) {

    }else if (result.isCancelled) {

    }else {
        NSString *accessToken = result.token.tokenString;
        NSString *jwtToken =
        FBSDKAuthenticationToken.currentAuthenticationToken.tokenString? : @""
    }
}];

[penoty]

Face the same issue, anyone has any idea？ In the limit login, how can we get the token_for_business, since we use this field as a unique identifier for the user regist from Facebook.

[shixueqian]

Same here. Does anyone know if it's still possible to obtain the token_for_business in this situation?

[vladyslav-androshchuk]

Hello, that is explained in the documentation, but quite hard to find. So you need to obtain an App Access Token and use it on your server to fetch token_for_business from the GraphQL.

[taozhang159]

When you reject the pop-up authorization of advertising ATT, the access_token obtained cannot be obtained through the method in the above document for token_for_business

[vladyslav-androshchuk]

When you reject the pop-up authorization of advertising ATT, the access_token obtained cannot be obtained through the method in the above document for token_for_business

access_token - yes, but read more carrefully, I said about App Access Token which you obtain totaly different and only on the backend (due to the security):

[taozhang159]

当你拒绝广告ATT弹窗授权时，获取到的access_token无法通过上述文档中token_for_business的方法获取

access_token-是的，但请仔细阅读，我说过App Access Token您的获得是完全不同的，并且只告知（安全性考虑）：

Our Facebook login uses token_for_business as the user's unique identifier, but after upgrading Facebook to 17.0.2, when using restricted login, after rejecting ATT, we cannot get token_for_business through the GET /ASID?fields=token_for_business interface. Is there any good way? Can you give me some advice?