With Apple’s App Tracking Transparency (ATT) enforcement, Meta has made key updates to the iOS Facebook Login SDK. Now, if a user opts out of ATT or never grants consent, the SDK won’t provide valid OAuth access tokens. As a result, Graph API requests may fail with errors like OAuthException – "Invalid OAuth access token."

If you're encountering these issues, don’t worry! We’ll walk you through what’s happening, and practical steps for handling it.

Let’s dive in!

What is Facebook Limited Login? 

Facebook Limited Login is a privacy-focused alternative to the standard Facebook Login. It provides a lightweight authentication method that allows users to sign in to apps with their Facebook credentials while sharing only minimal information.

Unlike the full Facebook Login, which can grant apps access to a wide range of user data, Limited Login only supports basic profile details - such as name, profile picture, and email. Additionally, it ensures that user interactions with the app won’t be used for ad personalization or measurement, making it a more privacy-conscious option.

How to identify Facebook Limited Login attempts

When implementing Facebook Limited Login, it’s important to know how to detect when a login attempt falls under this mode. Luckily, Meta provides multiple ways to identify limited login attempts and results.

One key indicator is the login screen itself. If a user hasn’t granted App Tracking Transparency (ATT) consent or has explicitly requested Limited Login, the login request is automatically redirected to ‘limited.facebook.com’ instead of ‘facebook.com’. This instant feedback helps users and developers recognize when a user is signing in with restricted permissions.

What is the key difference between Facebook Limited Login and standard Facebook Login ?

Traditionally, the Facebook Login returns an OAuth access token which can be used to request additional data from the Facebook Graph API. Development tools like Meta’s Access Token Debugger help you debug and access tokens that are returned from successful login attempts.  

However, Facebook Limited Login works differently. Instead of an OAuth token, it returns an AuthenticationToken, which wraps an OpenID Connect (OIDC) token. This ID token has stricter limitations. 

It cannot be used to:

• Request additional data from the Graph API (e.g., friends, photos, or pages), or
• Obtain other tokens, such as Page or session info tokens.

The full list of available datapoints that can be requested and returned with the AuthenticationToken is documented in the Facebook Developer documentation (See Limited Login for iOS).

Unlike standard OAuth tokens, the AuthenticationToken from Limited Login cannot be debugged using Meta’s Access Token Debugger. Instead, validation must be done manually by:

1. Validating the JWT format,
2. Validating the JWT Signature, and
3. Checking the Standard claims of the JWT payload.

For a step-by-step guide on decoding and validating the OIDC token, refer to the Facebook Developer documentation: Validating the Limited Login OICD Token.

Want to know how it all works?

Get hands-on with Median’s comprehensive documentation, and build your app with ease.

View Documentation

What do I have to do when updating my app? 

If you're updating your app and upgrading to Facebook Login SDK version 17.0.0 or higher, here are the steps you need to follow for your iOS app:

1. Request ATT permissions: Before allowing users to log in, it’s crucial to request App Tracking Transparency (ATT) permission. If the permission is not requested or not granted by the user, Facebook will automatically redirect users to limited.facebook.com and provide the Limited Login experience by default.

2. Note changes to the Login button:When implementing Facebook Limited Login, there are two new properties you’ll need to be aware of:

• `loginTracking`: This property controls the tracking preference for login attempts. By default, it is set to .enabled, but developers can adjust it based on their app’s requirements.
• `noonce`: This property allows you to set an optional nonce for login attempts. A valid nonce must be:
  
  1. A non-empty string
  2. Free of whitespace

If an invalid nonce is provided, it won’t be set, and the SDK will generate a default unique nonce automatically for login attempts.

3. Leave the Logout button alone.

No changes are required to your app’s logout button when adopting Facebook Limited Login. The Facebook SDK automatically handles token invalidation for both standard and limited logins.

4. Apply changes to the Login flow.

When integrating Facebook Limited Login, it's important to ensure your app processes authentication attempts just like traditional Facebook Login.

Here’s what you need to do:

• Ensure your system can recognize and handle successful Limited Login attempts
• Properly process the returned AuthenticationToken
• Manage user data consistently, whether the login is standard or limited

By treating Limited Login similarly to traditional logins, you can provide a smooth user experience while respecting the privacy preferences of your users.

How are my app’s users impacted by Facebook Limited Login? 

If you're considering the changes introduced by Facebook Limited Login in your app, you might wonder how it impacts existing logged-in users. The good news is that there’s no immediate effect - users who are already logged in can continue using your app as usual.

However, if you want existing users to benefit from Limited Login safeguards, they will need to log out and sign back in using Limited Login.

It’s important to note that Facebook Limited Login only applies to iOS. Android users remain unaffected, as these changes are specific to accommodate Apple’s App Tracking Transparency (ATT) policies.

Instant app store facelift. No designer required.

Unlock Median's 500+ free Figma app store screenshot templates designed to meet iOS and Android guidelines. Your app will look its best across platforms, resulting in more downloads — and a more powerful app store presence.

Choose your design now

Summary

Meta has updated the Facebook Login SDK to version 17.0.0+ to comply with Apple’s App Tracking Transparency (ATT) enforcement. 

The changes introduce Facebook Limited Login, a privacy-focused authentication method that provides users with minimal data sharing, by default only including their name, profile picture, and email. 

Developers of iOS apps need to request ATT permissions, ensure proper handling of the new login flow, and be aware of the changes to the login and logout buttons.

Frequently asked questions

What is Facebook Limited Login?

Facebook Limited Login is a privacy-focused login option that allows users to sign in to apps without sharing their full Facebook profile information. This option provides enhanced privacy by limiting the data shared with third-party apps while still enabling a streamlined login experience.

How does Facebook Limited Login differ from the standard Facebook Login?

Unlike the standard Facebook Login, which shares extensive user data with third-party applications, Facebook Limited Login restricts the amount of personal information shared. This includes limiting access to the user's profile picture, email, and friends list, ensuring greater control over personal data.

Can Facebook Limited Login be integrated with webview apps?

Yes, Facebook Limited Login can be integrated with webview apps. This integration allows webview apps to leverage Facebook's privacy-focused login option, ensuring enhanced user privacy by limiting the data shared with third-party apps. By using Facebook Limited Login, webview apps can still provide a streamlined login experience while maintaining robust user data security. This ensures that apps can engage users effectively without compromising their privacy.

Stay in touch

Join our mailing list for the latest mobile app news & Median updates.

Thank you for subscribing to our newsletter!

Oops! Something went wrong while submitting the form.