WARNING: Don't upgrade to FBSDK v17 without supporting Limited Login (the Changelog is misleading)

[ricsantos]

Checklist before submitting a bug report

• [X] I've updated to the latest released version of the SDK
• [X] I've searched for existing GitHub issues
• [X] I've looked for existing answers on Stack Overflow, the Facebook Developer Community Forum and the Facebook Developers Group
• [X] I've read the Code of Conduct
• [X] This issue is not security related and can safely be disclosed publicly on GitHub

Xcode version

15.3

Facebook iOS SDK version

17.0.0

Dependency Manager

CocoaPods

SDK Framework

Core

Goals

Recently updated some iOS apps I work on to use FBSDK 17.0 so that the Privacy Manifests were included, as required by Apple.

As usual, I checked the changelog overview when updating, it reports:

https://github.com/facebook/facebook-ios-sdk/blob/main/CHANGELOG.md#1700

17.0.0

Added

• Added privacy manifests

2024-02-16 | [Full Changelog]

Which seems ok.

Expected results

I expected the SDK to still work.

I expect the changelog overview to highlight any breaking changes, eg:

• Implement Limited Login or else the access token will no longer work when authenticating a user if they have denied ATT permission

Actual results

Noticed some users were failing to authenticate on our servers (we send the access token to our server then use npm passport-facebook-token to authenticate and login or register the user). We started seeing these errors:

{
   "error":{
      "message":"Invalid OAuth access token - Cannot parse access token",
      "type":"OAuthException",
      "code":190,
      "fbtrace_id":"AUuBS..."
   }
})

Took a while to realise that, in FBSDK 17 and higher, if a user denies App Tracking (or later turns it off), the access token returned by FBSDKs LoginManager.logIn(permissions API will failed to be parsed.

Steps to reproduce

1. Show user ATT prompt
2. Deny Tracking
3. Try to login using access token returned by LoginManager.logIn(permissions

Code samples & details

Please update the changelog if that is possible, so others don't make the same mistake. 

Can't believe that such a breaking change was so poorly communicated, and the error message so vague.

Related v17 issues that show this was a surprise and the migration path not well communicated:

https://github.com/facebook/facebook-ios-sdk/issues/2365

https://github.com/facebook/facebook-ios-sdk/issues/2416

https://github.com/facebook/facebook-ios-sdk/issues/2417

https://github.com/facebook/facebook-ios-sdk/issues/2426

https://github.com/facebook/facebook-ios-sdk/issues/2431

https://github.com/facebook/facebook-ios-sdk/issues/2442

https://github.com/facebook/facebook-ios-sdk/issues/2446

https://github.com/facebook/facebook-ios-sdk/issues/2449

https://github.com/facebook/facebook-ios-sdk/issues/2451

and more...

[ricsantos]

Also found this issue which mirrors my sentiment: https://github.com/facebook/facebook-ios-sdk/issues/2384

[ricsantos]

https://github.com/facebook/facebook-ios-sdk/issues/2365#issuecomment-2085542379

[krunalgoswamimoviepass]

Hey @ricsantos, We saw there is a updated version 17.0.2 available with some solution. Did you verified ? kindly help us out.

[ricsantos]

Yes 17.0.2 still needs Limited Login, any version >= 17 needs it.

[chaturj]

Hey @ricsantos, i have some issue with multiple login limitation with ios 17 version with swift package menager version 17.0.2 please check and solve the issue asap.

[ricsantos]

@chaturj don't we all 😅

What's your problem?

[chaturj]

Hey @ricsantos, i have issue with not open facebook app login with facebook for sdk version 17.0.2. it's work for sdk version 14.1.0.please see this screenshot for login with facebook open webpage

[ricsantos]

Just use the web based login.