Facebook Social Auth signInWithIdToken needs custom parser

[kelvanb97]

Bug Report

Describe the bug

Experiencing issues with supabase.auth.signInWithIdToken via the react-native-fbsdk-next lib, custom auth flow, and web based approach for authentication. All errors point in the same direction:

ERROR : {"name":"AuthApiError","message":"Bad ID token","status":400}

To Reproduce

Steps to reproduce the behavior:

1. Implement supabase.auth.signInWithIdToken with react-native-fbsdk-next according to Supabase docs.
2. Attempt to log in using Facebook credentials.
3. In a separate scenario, follow the WebBrowser-based authentication approach.
4. Observe the errors in both methods.

Expected behavior

Successful authentication without errors using both the native and web approaches for logging in with Facebook credentials.

Screenshots

N/A

System information

N/A

Additional context

The issue seems related to handling JWT structures and server-side errors during the authentication process. Investigations into Supabase's handling of generic ID tokens and discussions on platforms like Reddit suggest this might be an upstream error with Supabase. Looking at the function ParseIDToken found at auth/internal/api/provider/oidc.go it looks like the same pattern needs to be applied to Facebook Id tokens.

Suggested fix

Add a new function parseFacebookIdToken to ParseIDToken that is specifically designed for FB JWT tokens.

[nikitapilgrim]

same android only

[evelant]

I'm also running into this trying to transition from Firebase auth to Supabase auth. It seems that Facebook auth is not usable with Supabase at the moment? This is a critical blocker for us. @hf @kangmingtay is this easily resolvable?

[J0]

Hey,

Thanks everyone. Would anyone be able to supply us the rough structure of a JWT issued by Facbeook auth? With sensitive fields omitted of course.

[evelant]

Facebook encrypts their token. AFAIK there's no way to decode it. Looking at their docs it's unclear how to get a plain JWT from them. https://developers.facebook.com/docs/facebook-login/guides/access-tokens

[evelant]

Supabase auth may need to take the encrypted facebook token and call a facebook endpoint to validate it then mint a jwt for the user based on that.

[max-win]

Same issue here. without facebook login integration working, we can't use supabase.

[dimatarasenko1]

Facing the same issue when trying to implement Facebook Limited Login in an app.

token = AuthenticationToken.getAuthenticationTokenIOS() from react-native-fbsdk-next

Running supabase.auth.signInWithIdToken({ provider: "facebook", token: token, nonce: "xxxx" }) returns error [AuthApiError: Bad ID token]

JWT structure of token is below @J0. I believe it's valid and just unsupported on supabase side?

{
  "iss": "https://www.facebook.com",
  "aud": "1891562374xxxxxx",
  "sub": "7897141157xxxxxx",
  "iat": 1719494213,
  "exp": 1719497813,
  "jti": "xxxxxxxxx",
  "nonce": "xxxxxx",
  "at_hash": "xxxxxxxx",
  "given_name": "Name",
  "family_name": "Surname",
  "name": "Name Surname",
  "picture": "https://platform-lookaside.fbsbx.com/platform/profilepic/?xxxx"
}

[evelant]

@dimatarasenko1 Unfortunately that will only work on iOS. AFAIK you can't use limited login on Android.

[dimatarasenko1]

To be clear that's running on iOS via react-native-fbsdk-next, executing AuthenticationToken.getAuthenticationTokenIOS() and returning a JWT token all ok on the Facebook side @evelant

The error is thrown when passing this token to supabase.auth.signInWithIdToken

[evelant]

Yes I'm aware, I was just pointing out that even if Supabase fixes parsing of that token it won't help with Android at all because you can't get a limited login token on Android.

[oddanderson]

+1

[f-bog]

I'm also running into this trying to transition from Firebase auth to Supabase auth. It seems that Facebook auth is not usable with Supabase at the moment? This is a critical blocker for us. @hf @kangmingtay is this easily resolvable?

Hey @evelant,

Have you found a workaround for this issue? I am also trying to transition from Firebase Auth, and this is completely blocking me.

[kangmingtay]

Hi everyone, we're aware of this problem with signInWithIdToken and facebook - currently, the team is stretched extremely thin on bandwidth and it will be quite some time before we're able to investigate the root cause and push a fix for it.

We do welcome any contributions to attempt to fix this issue and we'll be more than happy to help review it:

• Entrypoint for signInWithIdToken flow (https://github.com/supabase/auth/blob/master/internal/api/token_oidc.go#L120)
• Where we handle parsing the id tokens for identity providers (https://github.com/supabase/auth/blob/6ccd814309dca70a9e3585543887194b05d725d3/internal/api/provider/oidc.go#L55-L70)
• Facebook uses the parseGenericIDToken method, which may have some issues with the underlying spec used by facebook.

Here are some useful references sent by another user in an internal support ticket:

1. Facebook's OpenID configuration endpoint: https://www.facebook.com/.well-known/openid-configuration/
2. Token endpoint: https://graph.facebook.com/v17.0/oauth/access_token
3. Possibly a useful link to why facebook's OIDC endpoint doesn't work for the generic use case: https://stackoverflow.com/questions/76473817/is-it-possible-to-use-facebook-limited-login-via-openid-connect-with-pac4j

[max-win]

Take your time. meanwhile,we are replacing supabase with something else.

On Fri, Aug 2, 2024 at 12:55 AM Kang Ming @.***> wrote:

Hi everyone, we're aware of this problem with signInWithIdToken and facebook - currently, the team is stretched extremely thin on bandwidth and it will be quite some time before we're able to investigate the root cause and push a fix for it.

We do welcome any contributions to attempt to fix this issue and we'll be more than happy to help review it:

• Entrypoint for signInWithIdToken flow ( https://github.com/supabase/auth/blob/master/internal/api/token_oidc.go#L120 )
• Where we handle parsing the id tokens for identity providers ( https://github.com/supabase/auth/blob/6ccd814309dca70a9e3585543887194b05d725d3/internal/api/provider/oidc.go#L55-L70 )
• Facebook uses the parseGenericIDToken method, which may have some issues with the underlying spec used by facebook.

Here are some useful references sent by another user in an internal support ticket:

1. Facebook's OpenID configuration endpoint: https://www.facebook.com/.well-known/openid-configuration/
2. Token endpoint: https://graph.facebook.com/v17.0/oauth/access_token
3. Possibly a useful link to why facebook's OIDC endpoint doesn't work for the generic use case: https://stackoverflow.com/questions/76473817/is-it-possible-to-use-facebook-limited-login-via-openid-connect-with-pac4j

— Reply to this email directly, view it on GitHub https://github.com/supabase/auth/issues/1522#issuecomment-2263696801, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAENN3NAJX2OCKRUYP6FDITZPJ4THAVCNFSM6AAAAABF66LMRSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENRTGY4TMOBQGE . You are receiving this because you commented.Message ID: @.***>

[stephenlindauer]

Is there any update on this? Are there alternative ways to use Facebook or is this a total blocker?

[lewisdonovan]

It's wild that there's no fix almost 6 months later.