Facebook Limited Login short-lived auth token limitations

[MykhailishynMykola]

State your question
Following the update of the Facebook SDK to version 17.0, users who have disabled permissions on the App Tracking Transparency pop-up can only log in using the LoginTracking.limited tracking option. This option only provides an authToken with a limited expiration duration of 1 hour (accessToken is nil).
We cannot use the default Facebook Identity provider anymore, because it requests "graph.facebook.com" which is unavailable without the access token. That is why we created a new custom Identity provider with OpenID Connect type and Issuer - "www.facebook.com". Now everything works fine but only for an hour after the last user login.
Facebook does not offer an alternative method for refreshing a user's auth token besides explicitly requesting them to log back into the app. We aim to avoid requiring users to log in every hour to update their data in the DynamoDB database.
It is also worth saying that we can no longer use a version of the Facebook SDK older than 17.0 due to AppStore restrictions from May 1 related to the Privacy Manifest.

Any insights, suggestions, or contributions toward resolving this issue would be greatly appreciated. Thank you for your attention and support.

Which AWS Services are you utilizing?
AWSCore, AWSDynamoDB, AWSAppSync, AWSCognitoIdentityProvider

Provide code snippets (if applicable)

Environment(please complete the following information):

• SDK Version: [2.30.4]
• Dependency Manager: [Cocoapods]
• Swift Version : [5.0]

Device Information (please complete the following information):

• Device: [iPhone11]
• iOS Version: [iOS 17.4.1]

[ruisebas]

Hi @MykhailishynMykola , thanks for opening this issue.

The team will take a look and post an update once we have more information.

[LeeviKopakkala]

@ruisebas Any updates on this?

[lawmicha]

is this Cognito Identity Pool's federated login with OIDC (Facebook as the issuer) as the provider ? Want to clarify the methods you are describing here and can you provide us some code snippets and which packages you are using?

[lawmicha]

Do you have other social provider logins on your app? Is this short lived token issue only an issue with Facebook? Another way to provide social login is through Cognito User Pool's HostedUI.

[MykhailishynMykola]

Do you have other social provider logins on your app? Is this short lived token issue only an issue with Facebook? Another way to provide social login is through Cognito User Pool's HostedUI.

Yes, we have Apple login also, but we don't have such issues with Apple, because we could use a refresh token there. So the issue is only with Facebook SDK with a version bigger than 17.0. Ok, I'll take a look at Cognito User Pool's HostedUI documentation and see if that helps us fix the problem.

is this Cognito Identity Pool's federated login with OIDC (Facebook as the issuer) as the provider ? Want to clarify the methods you are describing here and can you provide us some code snippets and which packages you are using?

Previously, in older versions, we configured Facebook login and made a new entry in:
Amazon Cognito -> Identity pools -> User access -> Identity providers:
Identity provider - https://graph.facebook.com/
Identity provider type - Facebook
Client ID - "our Facebook SKD client id"

So we sent long-lived access token to graph.facebook.com and everything was good. Starting from Facebook SDK version 17.0 you could not use this access token anymore if the user pressed "Ask App Not to Track" on the Apple App Tracking transparency popup. That is why I tried to use login type which Facebook call "limited login". That limited login returns us an authToken with a limited expiration duration of 1 hour (instead of long-lived access token).
So I configured a new identity provider in:
IAM -> Identity providers -> Add provider:
Provider - https://www.facebook.com/
Type - OpenID Connect

After that I have added it to Amazon Cognito -> Identity pools -> User access -> Identity providers and modified a bit my code:

class LoginProvider: NSObject, AWSIdentityProviderManager {
    func logins() -> AWSTask<NSDictionary> {
        // How it was before:
        //return AWSTask(result: [AWSIdentityProviderFacebook: accessToken])
        
        // How it is now:
        return AWSTask(result: ["www.facebook.com": authToken])
    }
}

Class LoginProvider is using as identityProviderManager for AWSCognitoCredentialsProvider to get access to DynamoDB via AWSAppSyncClient.

As I already wrote, the problem is that this token has a very short duration of one hour and the only way to get a new one is to ask the user to log in again after an hour. I was hoping that AWS could somehow fix it by adding the ability to create an AWS credential with a longer session duration. For example, here's how Firebase solved this problem:
https://firebase.google.com/docs/auth/ios/facebook-login#implement_facebook_login

// Initialize a Firebase credential.
let idTokenString = AuthenticationToken.current?.tokenString
let nonce = currentNonce
let credential = OAuthProvider.credential(withProviderID: "facebook.com", idToken: idTokenString!, rawNonce: nonce)

[baalimago]

From what I understand, the core of the issue is that cognito identity pool doesn't have support for facebook limited login. Looking at the identity pool authentication flow , we see that GetId is called using the ID token gotten from graph.facebook.com (the only alternative to log into facebook, as of 2024-06-13). This api, GetId, cannot create an identity for a Id token coming from www.facebook.com, there is no option for this. As such, it can't succeed. There is no way to create an Identity ID using a Id token from www.facebook.com (as in: using facebook limited login). Please correct me if I'm wrong, I really hope I am.

So with this in mind, I don't think this is an SDK issue: the sdk's doesn't have anything to call on the AWS cognito backend which works, judging by the API documentation.

---

I work with @LeeviKopakkala and have followed this thread for a few days now. We tried an approach where we setup federated login to Facebook via the user pool, and then user pool identity -> identity pool. This worked, but also didn't. We could log into Facebook on IOS just fine since we bypass the problem all together by 'proxying' through the hosted UI. But, any existing users who used Facebook as their identity provider weren't able to log in to their accounts. We haven't yet confirmed if this works if we use www.facebook.com as an OIDC provider, but I'm doubtful that it will work since OIDC will likely use a different method to generate/hash the identity ID.

Did this approach work for you @MykhailishynMykola? Are your pre-existing facebook accounts able to log in to their accounts using www.facebook.com as oidc provider?

[thisisabhash]

Thank you - from the documentation of Cognito, it seems Facebook Limited login is not supported at the moment. We will mark this as feature request.