iOS limited login

[yosukapro]

I'm using react-native-fbsdk-sdk for facebook login in my application. I just received email from Meta about upgrade FBSDKs to latest version (v17.0.0) to incorporate "Privacy Manifest" for Apple Store submission. So here is my update:

• react-native-fbsdk-sdk : ^12.1.3 → ^13.0.0

🐛 Bug Report

After upgrade to new version. I get two bugs:

1. iOS limited login

• I've followed the document to apply in my code

try {
     await LoginManager.logInWithPermissions(
       ['public_profile', 'email'],
       'limited',
       'my_nonce'
     );

     if (Platform.OS === 'ios') {
       const result = await AuthenticationToken.getAuthenticationTokenIOS();
       if (result?.authenticationToken)
         loginSocial(result.authenticationToken, LoginProvider.FACEBOOK);
     } else {
       const result = await AccessToken.getCurrentAccessToken();
       if (result) loginSocial(result.accessToken, LoginProvider.FACEBOOK);
     }

But in the facebook login screen, a warning appears with the following content. How can I hide them for my users?

2. Can't fetch profile by authenticationToken

• I can't use token return from method AuthenticationToken.getAuthenticationTokenIOS() to fetch user profile. I have log and still receive the token

To Reproduce

• Upgrade or install version 13.0.0

Expected Behavior

• Don't display warning content in facebook login view
• Can fetch profile

Code Example

...

 const pressFb = async () => {
    try {
      await LoginManager.logInWithPermissions(
        ['public_profile', 'email'],
        'limited',
        'my_nonce'
      );
      if (Platform.OS === 'ios') {
        const result = await AuthenticationToken.getAuthenticationTokenIOS();
        if (result?.authenticationToken)
          loginSocial(result.authenticationToken, LoginProvider.FACEBOOK);
      } else {
        const result = await AccessToken.getCurrentAccessToken();
        if (result) loginSocial(result.accessToken, LoginProvider.FACEBOOK);
      }
    } catch (error) {
      onClose();
      console.log('error', error);
    }
  };

...

<Button.Primary label={translate('auth.continueWithFacebook')} outline leftIcon={'IC_FB'} style={BTN_LOGIN} labelStyle={TXT_BTN} onPress={pressFb} />
...

Environment

System:
OS: macOS 14.2.1
CPU: (8) arm64 Apple M1
Memory: 106.08 MB / 8.00 GB
Shell: 5.9 - /bin/zsh
Binaries:
Node: 18.18.0 - ~/.nvm/versions/node/v18.18.0/bin/node
Yarn: 1.22.19 - /opt/homebrew/bin/yarn
npm: 9.8.1 - ~/.nvm/versions/node/v18.18.0/bin/npm
Watchman: 2024.03.18.00 - /opt/homebrew/bin/watchman
Managers:
CocoaPods: 1.12.0 - /Users/drake/.rvm/gems/ruby-2.7.6/bin/pod
SDKs:
iOS SDK:
Platforms: DriverKit 23.2, iOS 17.2, macOS 14.2, tvOS 17.2, watchOS 10.2
Android SDK: Not Found
IDEs:
Android Studio: 2022.1 AI-221.6008.13.2211.9477386
Xcode: 15.1/15C65 - /usr/bin/xcodebuild
Languages:
Java: 17.0.10 - /usr/bin/javac
npmPackages:
@react-native-community/cli: Not Found
react: 18.2.0 => 18.2.0
react-native: 0.71.3 => 0.71.3
react-native-macos: Not Found
npmGlobalPackages:
react-native: Not Found

[NidheeshVgopal]

I have the same issue when I updated my fbdsk-next from 12.1.4 to 13.0.0. But the 12.1.4 is working fine.

[short-dsb]

The crux of the issue is that the Limited Login token cannot be used as an access token (emphasis mine):

Limited Login returns an AuthenticationToken that wraps an OpenID Connect token. The ID token cannot be used to request additional data using the Graph API, such as friends, photos, or pages, and it cannot be used to get other tokens, such as Page or session info tokens. Doing so requires the use of classic Facebook Login (which does not support Limited Login safeguards).

This means using 13.0.0 for iOS requires a fundamentally different authentication flow than 12.1.4:

• The token in the response has limited utility compared to the token from the classic Facebook Login, and
• the logInWithPermissions method returns the user profile information directly, e.g., email and name.

TL;DR: 13.0.0 isn’t working for you because a Limited Login token cannot be used to access Facebook’s Graph API.

[NidheeshVgopal]

a warning appears with the following content. How can I hide them for my users?

Is there any way to hide the "Limited Login" Warning from the Login interface?

[yosukapro]

Is there any way to hide the "Limited Login" Warning from the Login interface?

I not found it yet.

By the way, Apple still requires a Privacy Manifest, which requires upgrading fbsdk to the latest version. And version 13.0.0 of this package is not working.

[short-dsb]

@mikehardy Appreciate all you do. Is there any way we could get the privacy manifest added to a 12.1 release? 13.0 isn’t an option for anyone who relies on classic Facebook Login for iOS and the privacy manifest is going to be a hard blocker for app distribution on May 1st.

If not, I might be able to get a PR up later this week.

[mikehardy]

No. The manifest comes with the native sdk. We just wrap the sdk here. Fix forward if at all possible I think

[short-dsb]

I see. So there’s no version of the native SDK that omits Limited Login but includes the privacy manifest?

Unfortunately, 13.0.0 is a breaking change that has no fix forward. Edit: At least not one that works with existing flows, since the token cannot be used to make Graph API requests.

[short-dsb]

To answer my own question: No, there is not. The relevant native SDK issue is #2384.

[yosukapro]

Hello, I would really appreciate it if you could tell me the plan for when we can resolve this issue?

[short-dsb]

This needs to be addressed in the the native SDK before it can be addressed here. Please refer to the issue I linked above (#2384).

If a new 16.3 release is created for the native SDK that includes a privacy manifest, a new 12.1 release could be created here with that dependency. However, no one from the native SDK team has yet responded to #2384.

[short-dsb]

Per this comment, this issue will not be addressed in a 16.3 release of the native SDK. Despite being “recommended,” switching to limited login for iOS is mandatory.

Unfortunately, this issue can be closed.

@mikehardy The README.md could be updated to clarify that the authorization token cannot be used to make GraphAPI requests, since that seems to be the chief point of confusion (e.g., #521). I can put up a PR for that if you’d like.

[mikehardy]

A pr would be a huge help, I'll take you up iny that if you can, you're at the leading edge of how it's working right now so anything you propose will likely be perfect

[short-dsb]

@mikehardy Happy to help. 🙂 Should I add this info to #513 or would you prefer a separate PR?

[mikehardy]

@mikehardy Happy to help. 🙂 Should I add this info to #513 or would you prefer a separate PR?

That would be great - apologies for asking but please tag me when ready, so I don't miss it