Calling oauth/access_token not allowed? (How to get id_token from Facebook login token)

Until this morning I could use oauth/access_token to get an id_token from a Facebook login token that was received using the native Facebook SDK.

Now I get error:

Grant type ‘’ not allowed for the client.

Has something changed? Is there another way to get an id_token?

This is required for proper native mobile user experience.


I assume this is because of:

This feature is disabled by default for new tenants as of 5 June 2017 due to security implications. Please see Client Grant Types for more information.

You’re correct about the underlying reason, the grant is now considered a legacy grant and is not available by default on new clients. Depending on when was your tenant created, see this docs page for concrete info, you may or may not autonomously update a client through the Management API in order to include that grant, the client will have to have a certain configuration for that grant to be allowed even if you’re allowed to change it yourself; for example, the client will need to be a first party client.

If you created your account after the change was introduced you may put your case for consideration, but given the characteristics of that functionality we highly encourage you to consider alternatives; which in this case would be to use browser-based authentication.

Got it. How does this affect Facebook login in native mobile apps where user is logged into Facebook in the native Facebook app, but not with Safari? Do they have to sign in manually again?