Add Facebook Limited Login Support for iOS #2046
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Pull Request Test Coverage Report for Build 15682490243Warning: This coverage report may be inaccurate.This pull request's base commit is no longer the HEAD commit of its target branch. This means it includes changes from outside the original pull request, including, potentially, unrelated coverage changes.
Details
💛 - Coveralls |
hf
reviewed
Jun 6, 2025
hf
approved these changes
Jun 6, 2025
test won’t be implemented as it might make harder future maintenance e.g if the signing key is rotated by facebook
|
how to skip nonce check? its now not bad ID token but keep happening nonce mismatch. |
cemalkilic
added a commit
that referenced
this pull request
Jul 17, 2025
## What kind of change does this PR introduce? nonce matching isn't supported for facebook limited login, skipping it during OIDC login. finalizes #2046
cemalkilic
added a commit
that referenced
this pull request
Aug 7, 2025
## What kind of change does this PR introduce? This PR adds support for [Facebook Limited Login](https://developers.facebook.com/docs/facebook-login/limited-login/) JWT (iOS only) to the `/token?grant_type=id_token` endpoint. This enables iOS apps using Facebook's Limited Login feature to authenticate with Supabase without requiring web browser redirects. ## What is the current behavior? Currently, the `/token?grant_type=id_token` endpoint does not support Facebook as a provider. When iOS apps using Facebook Limited Login try to authenticate with their JWT, they receive a `Bad ID token` error because Facebook's JWT structure is not recognized by the generic OIDC parser. This is already raised by users in #1522 as well. ## What is the new behavior? - iOS apps can now authenticate using Facebook Limited Login JWT via `signInWithIdToken()` function on the client side - Facebook JWT are properly parsed and validated - End users can authenticate on iOS even if they dont allow tracking ([ATT](https://developer.apple.com/documentation/apptrackingtransparency)) ## Additional context Important: Android Platform Limitations This implementation only supports iOS Facebook Limited Login. Android developers must continue using the standard OAuth flow (`signInWithOAuth()`) with web browser redirects. Why Android is not supported in this PR: 1. Fundamental Token Differences: - iOS: Facebook Limited Login provides self-contained JWT ID tokens that follow OIDC standards - Android: Facebook SDK only provides opaque access tokens (random strings, not JWTs) 2. Validation Requirements: - iOS JW: Can be validated using standard OIDC/JWKS (already handled by our infrastructure) - Android access tokens: Require calling Facebook Graph API for validation 3. Architectural Considerations: - The /token?grant_type=id_token endpoint is designed specifically for OIDC-compliant JWT - Adding Graph API validation for Android access tokens would be out of scope and violate the endpoint's single responsibility - It would essentially make this an "id_token OR access_token" endpoint, which breaks the grant type semantics WIP: Tests in `oidc_test.go` will be added.
cemalkilic
added a commit
that referenced
this pull request
Aug 7, 2025
## What kind of change does this PR introduce? nonce matching isn't supported for facebook limited login, skipping it during OIDC login. finalizes #2046
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What kind of change does this PR introduce?
This PR adds support for Facebook Limited Login JWT (iOS only) to the
/token?grant_type=id_tokenendpoint. This enables iOS apps using Facebook's Limited Login feature to authenticate with Supabase without requiring web browser redirects.What is the current behavior?
Currently, the
/token?grant_type=id_tokenendpoint does not support Facebook as a provider. When iOS apps using Facebook Limited Login try to authenticate with their JWT, they receive aBad ID tokenerror because Facebook's JWT structure is not recognized by the generic OIDC parser. This is already raised by users in #1522 as well.What is the new behavior?
signInWithIdToken()function on the client sideAdditional context
Important: Android Platform Limitations
This implementation only supports iOS Facebook Limited Login. Android developers must continue using the standard OAuth flow (
signInWithOAuth()) with web browser redirects.Why Android is not supported in this PR: