-
Notifications
You must be signed in to change notification settings - Fork 886
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Facebook Limited Login short-lived auth token limitations #5311
Comments
Hi @MykhailishynMykola , thanks for opening this issue. The team will take a look and post an update once we have more information. |
@ruisebas Any updates on this? |
is this Cognito Identity Pool's federated login with OIDC (Facebook as the issuer) as the provider ? Want to clarify the methods you are describing here and can you provide us some code snippets and which packages you are using? |
Do you have other social provider logins on your app? Is this short lived token issue only an issue with Facebook? Another way to provide social login is through Cognito User Pool's HostedUI. |
Yes, we have Apple login also, but we don't have such issues with Apple, because we could use a refresh token there. So the issue is only with Facebook SDK with a version bigger than 17.0. Ok, I'll take a look at Cognito User Pool's HostedUI documentation and see if that helps us fix the problem.
Previously, in older versions, we configured Facebook login and made a new entry in: So we sent long-lived access token to graph.facebook.com and everything was good. Starting from Facebook SDK version 17.0 you could not use this access token anymore if the user pressed "Ask App Not to Track" on the Apple App Tracking transparency popup. That is why I tried to use login type which Facebook call "limited login". That limited login returns us an authToken with a limited expiration duration of 1 hour (instead of long-lived access token). After that I have added it to Amazon Cognito -> Identity pools -> User access -> Identity providers and modified a bit my code:
Class LoginProvider is using as identityProviderManager for AWSCognitoCredentialsProvider to get access to DynamoDB via AWSAppSyncClient. As I already wrote, the problem is that this token has a very short duration of one hour and the only way to get a new one is to ask the user to log in again after an hour. I was hoping that AWS could somehow fix it by adding the ability to create an AWS credential with a longer session duration. For example, here's how Firebase solved this problem:
|
From what I understand, the core of the issue is that cognito identity pool doesn't have support for facebook limited login. Looking at the identity pool authentication flow , we see that GetId is called using the ID token gotten from So with this in mind, I don't think this is an SDK issue: the sdk's doesn't have anything to call on the AWS cognito backend which works, judging by the API documentation. I work with @LeeviKopakkala and have followed this thread for a few days now. We tried an approach where we setup federated login to Facebook via the user pool, and then user pool identity -> identity pool. This worked, but also didn't. We could log into Facebook on IOS just fine since we bypass the problem all together by 'proxying' through the hosted UI. But, any existing users who used Facebook as their identity provider weren't able to log in to their accounts. We haven't yet confirmed if this works if we use Did this approach work for you @MykhailishynMykola? Are your pre-existing facebook accounts able to log in to their accounts using |
Thank you - from the documentation of Cognito, it seems Facebook Limited login is not supported at the moment. We will mark this as feature request. |
State your question
Following the update of the Facebook SDK to version 17.0, users who have disabled permissions on the App Tracking Transparency pop-up can only log in using the LoginTracking.limited tracking option. This option only provides an authToken with a limited expiration duration of 1 hour (accessToken is nil).
We cannot use the default Facebook Identity provider anymore, because it requests "graph.facebook.com" which is unavailable without the access token. That is why we created a new custom Identity provider with OpenID Connect type and Issuer - "www.facebook.com". Now everything works fine but only for an hour after the last user login.
Facebook does not offer an alternative method for refreshing a user's auth token besides explicitly requesting them to log back into the app. We aim to avoid requiring users to log in every hour to update their data in the DynamoDB database.
It is also worth saying that we can no longer use a version of the Facebook SDK older than 17.0 due to AppStore restrictions from May 1 related to the Privacy Manifest.
Any insights, suggestions, or contributions toward resolving this issue would be greatly appreciated. Thank you for your attention and support.
Which AWS Services are you utilizing?
AWSCore, AWSDynamoDB, AWSAppSync, AWSCognitoIdentityProvider
Provide code snippets (if applicable)
Environment(please complete the following information):
Device Information (please complete the following information):
The text was updated successfully, but these errors were encountered: