facebook / facebook-sdk-for-unity

The facebook sdk for unity.
https://developers.facebook.com/docs/unity
Other
489 stars 256 forks source link

JWT authentication token is outdated and never gets refreshed unless I uninstall the app #582

Open Metallix opened 3 years ago

Metallix commented 3 years ago

Checklist

Environment

Describe your dev environment here, giving as many details as possible. If you have them, make sure to include:

Goals

Verify the authentication token after the limited login.

Expected Results

The authentication token is not outdated after FB.Init() and FB.Login()

Actual Results

The authentication token is valid for one hour but then stays outdated, even after app restarts or updates. When debugging the result of FB.Mobile.CurrentAuthenticationToken() it appears to be a token that is expired. Even when logging out from facebook on the device (Webpage) or even login with a different user, the token does not update.

Steps to Reproduce

Code Samples & Details

var authenticationToken = FB.Mobile.CurrentAuthenticationToken();
Debug.Log(authenticationToken.ToString());
// The expiry time of this token never updates and stays outdated ever after a few days.
Metallix commented 3 years ago

It appears that the JWT is designed to be the state of the user at the time of login. (See https://github.com/facebook/facebook-ios-sdk/issues/1663 (first response)) This means it never refreshes, except by calling FB.Login... again. This is not ideal when we want to use Facebook as an identity provider on every app start. For now we got around this by caching the users session on the device, so we do not need to re-authenticate with our game servers all the time. But that seems very odd. How are we supposed to use the limited facebook login as an identity provider, without showing a login dialog every other hour?

ppansy commented 3 years ago

The user's authentication session should remain valid even after the expiration of AuthenticationToken. You should not need to show a login dialog every hour. I didn't quite understand the need to maintain a separate cache for user session. The sdk should already provide that, i.e. FB.Mobile.CurrentAuthenticationToken() or 'FB.Mobile.CurrentProfile()`. The user session remains valid as long as there's an instance of Profile. Would that work for your use case?