Facebook iOS SDK v17.0 error: If you are not using Limited Login, you will need to handle all Graph API calls using Graph API

Question

We have been using Facebook login in our app since forever and this has always worked well.

We have upgraded to the SDK v.17 and have changed the code to use limited login into our app. When we open the Facebook login screen, we are always getting this warning:

"If you are not using Limited Login, you will need to handle all Graph API calls using Graph API, iOS. The access token will not be valid. To learn more about changes to the Facebook SDK for iOS and how you can continue using the Facebook Login SDK, visit the blog."

This is strange, because as you can see in the screenshot it does go to limited.facebook.com...

We have implemented it as per the documentation, here is a code snippet with the relevant lines of code:

     let facebookManager = LoginManager()
 guard let configuration = LoginConfiguration(permissions: ["email", "public_profile"], tracking: .limited, nonce: UUID().uuidString)
else {
    return
}        
facebookManager.logIn(configuration: configuration) { [self] result in
    switch result {
    case .cancelled:
           // throw cancelled
    case .failed:
           // throw failed
    case .success:
        if let token = AuthenticationToken.current?.tokenString {
           // send token to server
        } else {
           // throw no token error
        }
    }
}

Why do we get the warning on the Facebook Login page? Other than the above, is there anything else weI need to change to use limited login? What are we missing here? Also the token we get back doesn't seem to be valid (yet to be confirmed).

Answer 1

Per this doc Changes made to Facebook Login SDK for iOS

In order to avoid potential app disruption, we are recommending iOS developers to do one of the following, based on how their application is utilizing FBLogin:

• Developers currently using Limited Login and/or manual endpoints: Update the Facebook Login SDK to the most recent version and update any Limited Login endpoint domains within your application to the new Limited Login endpoint (as shown here).
• Developers not currently using Limited Login: We recommend you update the Facebook Login SDK to the most recent version, integrate Limited Login into your application, and update any Limited Login endpoint domains within your application to the new Limited Login endpoint (as shown here). Alternatively, you can update the Facebook Login SDK to the most recent version without integrating Limited Login into your application. However, if you do not integrate Limited Login, you will need to handle all Graph API calls using Graph API, iOS. Any Graph API, iOS calls that do not fall within these permissions will fail. Also, please note that the access token will not be valid.

And Guidance for FB SDK for iOS 17.0.0 or later versions

For iOS 17.0 and later devices, you are no longer required to set the Advertiser Tracking Enabled parameter for Facebook SDK for iOS 17.0.0 and later versions. We now rely on Apple’s App Tracking Transparency (ATT) system API to determine ATT permission status for app events sent through Facebook SDK for iOS 17.0.0 and later versions.

---

We know that the FB SDK 17.0 enforces limited logins on iOS 17 when App Tracking Transparency (ATT) is disabled. So we should implementing limited login. In limited login, you won’t be able to use the access token with the Graph API on your web server. Instead, use the authentication token to verify and extract user information.

To cover both scenarios, handle the normal access token when ATT is enabled and the authentication token when ATT is disabled. Or you can only use limited login along with authentication tokens.

---

Here is one sample codes to verify the authentication token

jwt = require('jsonwebtoken');
jwksClient = require('jwks-rsa');

client = jwksClient({
  jwksUri: 'https://www.facebook.com/.well-known/oauth/openid/jwks/'
});

getKey = function(header, callback) {
  return client.getSigningKey(header.kid, function(err, key) {
    var signingKey;
    if (err) {
      return callback(err, null);
    } else {
      signingKey = key.getPublicKey();
      return callback(null, signingKey);
    }
  });
};

verifyToken = function(token, next) {
  return jwt.verify(token, getKey, {
    algorithms: ['RS256'],
    audience: appId,
    issuer: 'https://www.facebook.com'
  }, function(err, decoded) {
    return next(err, decoded);
  });
};

verifyFacebookJwtToken = function(jwtToken, next) {
  return verifyToken(jwtToken, function(err, decoded) {
    if (err != null) {
      return next(err);
    } else {
      return next(null, {
        facebookId: decoded.sub,
        facebookName: decoded.name,
        email: decoded.email
      });
    }
  });
};

Answer 2

it looks like it will always appear for test users (added in meta developers console) & should not be displayed for public users.

Please refer to the official iOS repository issue: https://github.com/facebook/facebook-ios-sdk/issues/2389