API calls from the server require an appsecret_proof argument

[rachael-ross]

We recently upgraded to Xamarin.Facebook.iOS 5.12 (and we tried 5.6.0.1) and we're performing client flow auth by requesting a Facebook access token on the client using the Xamarin.Facebook.iOS SDK, then calling into our server (Azure App Service with Azure Authentication Middleware) with that access token. Azure Auth then uses that token to validate access before issuing an authenticationToken back to our mobile app. From then forward, the mobile app uses the authenticationToken to make calls to the api hosted in Azure App Service.

Prior to upgrading the SDK, this has been configured and running for a year and a half with no issues. We haven't changed anything in our info.plist. We've always required the AppSecret with requests to FB and it's stored in Azure as well as info.plist of mobile app. I've triple checked appId and appSecret in FB Dev Console, Azure Authentication configuration and info.plist. Everything looks good to me.

Now we're getting an error when sending the accessToken that we receive from the client SDK to Azure for validation and issuance of an authenticationToken specific to our API that the mobile app calls into. The error that Azure is receiving back from Facebook is:

We are, in fact, receiving an access token from the FB client flow and sending it to Azure:

What am I missing here? Is there additional configuration that needs to be performed in the client app or how I'm using the Xamarin.Facebook SDK?

Additional questions:

• If using Xamarin.Facebook.iOS 5.12 or 5.6.0.1, what Facebook API version should be set in the Dev Console? We have 3.3 selected since that's what it seems like Azure is configured for.
• What should the info.plist look like? Specifically, query schemes?

• If we're only using the xam fb client sdk for login (no app event tracking, posting, advertising, etc.) what should the initialization and set up of the client look like? This is what we have (only relevant code included):

  public override bool FinishedLaunching(UIApplication uiApplication, NSDictionary launchOptions)
      { 
          //facebook
          Profile.EnableUpdatesOnAccessTokenChange(true);   
          Settings.AutoLogAppEventsEnabled = false; // added this to troubleshoot - no diff
     }
  
  public override bool OpenUrl(UIApplication app, NSUrl url, NSDictionary options)
      {
          var parsedOptions = new UIApplicationOpenUrlOptions(options);
  
          // facebook
          if (url.Scheme == EnvironmentConfiguration.FacebookScheme)
          {
              return ApplicationDelegate.SharedInstance.OpenUrl(app, url, parsedOptions.SourceApplication, parsedOptions.Annotation);
          }
     }

[Digifais]

Not sure if you still need help with this @rachael-ross. I don't have a lot of experience with the Facebook SDK yet myself, but have you read https://developers.facebook.com/docs/graph-api/securing-requests/#generate-proof?

As to your first question, I assume Graph API v5 as that was implemented in the 5.9.0 version of the Facebook iOS SDK (https://github.com/facebook/facebook-ios-sdk/blob/master/CHANGELOG.md#590).