Auth0 Home Blog Docs

Can we use the native Facebook mobile app to sign in instead of a web view?

android
authentication
ios
native

#1

We use the Auth0 Swift https://github.com/auth0/Auth0.swift for iOS and Auth0 Android https://github.com/auth0/Auth0.Android native SDKs. Currently, logging in/authentication works using an in-app web browser. Is it possible to launch the native mobile Facebook app (or native Twitter app, etc.) to authenticate/log in? (I’ve seen other apps do this. They log in using Facebook, and once completed, the original app in is relaunched.) I looked through the documentation and it seems it used to be possible using Lock iOS v1 and Lock Android, but no longer. Is this indeed correct? Will this feature be added back? And when?


#2

We are having trouble with this too.
Using a webview completely negates the UX benefit of using FB login. If a user has to remember their FB email and password, then enter their username and password, they might as well have created a new email/password account instead.
And most users will need to enter their FB credentials into the webview login since most people use the FB app and most apps implementing FB login use the app not a webview.
It also looks untrustworthy. A typical user wouldn’t know if this is a legitimate FB login screen or a phishing attempt.


#3

We’re having the same problem. As partial solution we capture the call to window.open and open that in the native browser, e.g. Safari. At least this way if you’re logged into Facebook on Safari, you’ll be able to reuse that session. Having the choice to open it in the mobile native Facebook app would be better though.


#4

See duplicate: https://community.auth0.com/questions/11839/authenticate-using-native-fb-app


#5

Yes I saw that question. But the reason why I asked my question is because the other question is regarding React-Native and not the native iOS and Android SDKs. So my question not technically a duplicate.


#6

I have the same situation. Currently considering a switch from IDServer. I start by launching a native facebook login, then passing the users token to the idserver. I guess this can be made the same with Auth0 either using the SDK or the Rest API. Not sure if they both support it. This way you can very simple get the behavior you are looking for.


#7

There have been discussions around this implementation, but at the moment it is not supported. While the solution that uses the facebook native app carries a better UX, we are currently following the recommendations of the Internet Engineering Task Force (IETF), who has recently release a Best Current Practices (BCP) when using OAuth 2.0 with native mobile applications where it states that OAuth 2.0 authorization requests from native apps should only be made through external user-agents, primarily the user's browser..

You can read more about this recommendation here:

https://auth0.com/blog/oauth-2-best-practices-for-native-apps/

https://www.rfc-editor.org/rfc/rfc8252.txt

https://auth0.com/docs/design/browser-based-vs-native-experience-on-mobile


#8

Thanks for the detailed explanation.

I skimmed through the RFP and read section 5 “Using Inter-App URI Communication for OAuth.” So it’s definitely possible to support the native flow (using external user-agents) sans browser. (“Primarily” doesn’t mean “exclusively.”) So please put my vote in for this feature request! :slight_smile:


#9

We also are in desperate need for this feature from a UX perspective point of view. As @anthony.manning.fran already pointed out, the FB Login flow looses lots of its benefits when FB login has to be used this way.

Is there any way to achieve a flow including the native FB app using Lock 11 or a custom login solution using auth.js? (of course, a solution using the present Lock 11 would be very much appreciated)


#10

@ricardo.batista: As @chrisjf investigated, a UX friendlier flow should not violate the RFC anyways. Could you please reconsider to implement this feature?


#11

Desperate for this feature too. Just implemented Auth0 and I’m surprised this isn’t already in place. Using webview seems fairly pointless if users are required to enter email address and password - it’s nearly as quick to register with a email/password account.

Any more information on this feature?


#12

We have used Auth0 for quite some time now, and we also feels this is a major UX disadvantage. As much as we love Auth0 we are considering other authentication providers because of this.

It would be great to hear if Auth0 is reconsidering this solution?


#13

I think it would relieve our pain if Auth0 would step back from deprecating the grant_type “http://auth0.com/oauth/legacy/grant-type/access_token”. Because then, to my point of view, it should be possible to use the Facebook SDK to login the user, and then to use the FB auth_token to authenticate the user towards Auth0.


#14

At the risk of sounding repetitive: this is a really big thing for us too. We want our users to experience as little friction as possible when logging into our mobile apps and right now the whole experience is just frustrating to them (and therefore to us).

We absolutely love what Auth0 has done for us in terms of security, stability and user satisfaction, so fingers crossed y’all will fix this one.