Auth0 Home Blog Docs

Can we use the native Facebook mobile app to sign in instead of a web view?

android
ios
native
authentication

#1

We use the Auth0 Swift https://github.com/auth0/Auth0.swift for iOS and Auth0 Android https://github.com/auth0/Auth0.Android native SDKs. Currently, logging in/authentication works using an in-app web browser. Is it possible to launch the native mobile Facebook app (or native Twitter app, etc.) to authenticate/log in? (I’ve seen other apps do this. They log in using Facebook, and once completed, the original app in is relaunched.) I looked through the documentation and it seems it used to be possible using Lock iOS v1 and Lock Android, but no longer. Is this indeed correct? Will this feature be added back? And when?


#2

We are having trouble with this too.
Using a webview completely negates the UX benefit of using FB login. If a user has to remember their FB email and password, then enter their username and password, they might as well have created a new email/password account instead.
And most users will need to enter their FB credentials into the webview login since most people use the FB app and most apps implementing FB login use the app not a webview.
It also looks untrustworthy. A typical user wouldn’t know if this is a legitimate FB login screen or a phishing attempt.


#3

We’re having the same problem. As partial solution we capture the call to window.open and open that in the native browser, e.g. Safari. At least this way if you’re logged into Facebook on Safari, you’ll be able to reuse that session. Having the choice to open it in the mobile native Facebook app would be better though.


#4

See duplicate: https://community.auth0.com/questions/11839/authenticate-using-native-fb-app


#5

Yes I saw that question. But the reason why I asked my question is because the other question is regarding React-Native and not the native iOS and Android SDKs. So my question not technically a duplicate.


#6

I have the same situation. Currently considering a switch from IDServer. I start by launching a native facebook login, then passing the users token to the idserver. I guess this can be made the same with Auth0 either using the SDK or the Rest API. Not sure if they both support it. This way you can very simple get the behavior you are looking for.


#7

There have been discussions around this implementation, but at the moment it is not supported. While the solution that uses the facebook native app carries a better UX, we are currently following the recommendations of the Internet Engineering Task Force (IETF), who has recently release a Best Current Practices (BCP) when using OAuth 2.0 with native mobile applications where it states that OAuth 2.0 authorization requests from native apps should only be made through external user-agents, primarily the user's browser..

You can read more about this recommendation here:

https://auth0.com/blog/oauth-2-best-practices-for-native-apps/

https://www.rfc-editor.org/rfc/rfc8252.txt

https://auth0.com/docs/design/browser-based-vs-native-experience-on-mobile


#8

Thanks for the detailed explanation.

I skimmed through the RFP and read section 5 “Using Inter-App URI Communication for OAuth.” So it’s definitely possible to support the native flow (using external user-agents) sans browser. (“Primarily” doesn’t mean “exclusively.”) So please put my vote in for this feature request! :slight_smile:


#9

We also are in desperate need for this feature from a UX perspective point of view. As @anthony.manning.fran already pointed out, the FB Login flow looses lots of its benefits when FB login has to be used this way.

Is there any way to achieve a flow including the native FB app using Lock 11 or a custom login solution using auth.js? (of course, a solution using the present Lock 11 would be very much appreciated)


#10

@ricardo.batista: As @chrisjf investigated, a UX friendlier flow should not violate the RFC anyways. Could you please reconsider to implement this feature?