Questions

Hi all,

We recently were running into an issue where the accessToken returned from the median.socialLogin.facebook.login call was not valid for subsequent FB.api("/me", ...) calls.

When using that accessToken for the /me request, we'd receive the error:

Invalid OAuth access token - Cannot parse access token

After speaking with a rep and some investigation, we found that the Facebook login now requires App Tracking Transparency (ATT) to be enabled, otherwise Facebook invalidates any tokens.

When having ATT enabled, then an unfortunate side effect is that users are prompted:

Allow "[App Name]" to track your activity across other companies' apps and websites.

Our app does not want to track users, but I'm guessing based on the current Facebook login integration with Median, then we are required to show this as we use access tokens.

Per this github thread:

I resolved this issue. The FB SDK 17.0 uses a limited login forcefully in ios 17 when the ATT is not on. So we should impletemt limited logins. In the limited login, you cannot use the access token at the graph api in your web server. You can use the authentication token which is a JWT. You can verify it and extract user information from it. So you should handle the both tokens - normal access token on the ATT enabled and authentication token on the ATT not enabled. Or you can use the limited logins only and use authentication tokens.

My question to Median is: Can we have an enabled Facebook login without needing the ATT by using the authentication tokens vs the access tokens?

Thanks!