Facebook Platform Policy Update

We have a hybrid mobile app (built using Ionic) that uses Auth0 to manage authentication with, among others, Facebook. The app has been working fine for the last year or so, but we recently received the following warning from Facebook:

In working to create a great Platform experience for everyone, we ask developers to ensure the apps they build comply with our Platform Policies. Your app XXXX (AppId: XXXX) doesn’t comply with the following:

Platform Policy 8.2: Native iOS and Android apps that implement Facebook Login must use our official SDKs for Login.

Please make sure your Android app is using the most recent version of our SDK for Login. You can find more information on our Android SDK for Login and other Login-related products here: Android - Facebook Login - Documentation - Meta for Developers.

You can see our visual example for this policy here: Platform Terms - Meta for Developers.

Please make the requested changes by 2019-01-14 at 12:00 PST.

Let us know when you’ve updated your app by replying to this email. If we do not hear back from you, your app will be subject to enforcement. If you have outstanding questions, respond here and we’ll do our best to help.

The whole purpose of using Auth0 is to avoid having to include and manage multiple SDKs for the various login providers. We’re concerned that this new restriction from Facebook means that we will need to rearchitect our authentication flow, possibly removing Auth0 from the mix.

This seems to relate to a previous question, which was more speculative (“what if Facebook enforces this?”), but now we find ourselves faced with a tough decision - remove Facebook altogether, or implement the Facebook SDK in a week…

Do any other Auth0 developers have experience with this sort of issue? Has anyone successfully lobbied Facebook for a “pass”? Is there an easier solution that we’ve not thought about?

1 Like

Thanks for posting it @dafyd!

Personally it’s the first time I see something like this it must be relatively new. Definitely worth wider audience maybe one of our community developers handle it somehow. Added a few tags to your topics so that others can find it even easier!

Hi!
Did you manage to solve this problem? We received the same email today and haven’t found any fast solution so far…
Thanks!

We haven’t found a solution yet. We replied to their email, but haven’t heard back. Everything appears still to be working, so we’re not panicking just yet…

This is the reply we sent (which is, admittedly, a little snarky):

Hi,

We use Auth0 to handle our social authentication across web and mobile apps. Auth0 is responsible for triggering the login flow, which, in our hybrid mobile app, happens in a web view. This was the case when we submitted the app for Login Review. Nothing has changed since.

If we do need to completely re-engineer our login flow, it will take us more than the 5 days you’ve given us…

If anyone at Auth0 has a contact at Facebook, it would be really useful to get some clarification on this.

We’ve already started discussing it and will somehow try to evaluate that and go with that further.

I’ll follow-up with you guys once we know something more!

The reason Facebook send those messages is that they are trying to ensure that there are no insecure loopholes that could leave them, their apps, or their users vulnerable to exploit.

That said, Auth0 can still be used. Please make sure you adhere to FB’s updated security requirements, particularly WRT to Allowed Callbacks (requiring https).

For additional information, see:

1 Like

Ok but we already have turned on the “Enforce HTTPS” setting in our Facebook Login settings when facebook wrote us.
Is there somethings else we should do?

As far as we are informed there are no more steps to take if you have enabled HTTPS. Let me circle back with our product team on that, and I’ll let you know what they have to share!

1 Like

It seems like there are not other steps to take as our product team hasn’t got back with any info on that.

If you have any other questions about that in the future, do not hesitate to post them in this thread!

I just got one of these notices as well, it seems using auth0 leaves us out of compliance with Facebook and risks us loosing access to login through it. The wording is pretty clear from Facebook.

“Platform Policy 8.2: Native iOS and Android apps that implement Facebook Login must use our official SDKs for Login.”

Additionally in the link they provide it states,

“Android apps should use the default login behavior defined by the SDK, which may use the web-view Login dialog. On iOS, only kiosk apps may use a web-view Login dialog.”

As for iOS apps it doesn’t seem they allow web view at all for non kiosk apps.

According to

If http://auth0.com/oauth/legacy/grant-type/access_token was supported again we could use the tokens provide by the native FB SDK to authenticate a user through auth0.

Is there way for us to pass up the tokens received from the native FB SDK to authenticate a user through auth0. If this is not possible and to stay in compliance we would have to resort to having our backend talk to FB directly, which we would need to avoid.

Correct me if I’m wrong, I’m just coming up to speed on this.

2 Likes

Totally understand your concerns!

Let me discuss it internally with our product and engineering teams if it’s a safe approach and how potentially you can handle it.

Hello, our apps are now in the same boat as the people above. We are requiring https on our website so the “solution” of this thread does not apply.

Is there any progress on this?

Hey @sindre

Just pinged our product team about that. Someone should reach out soon and provide further guidance.

We received a similar email from Facebook just now. “Enforce HTTPS” was already enabled in our Facebook Login settings. Is there a good way to work around this with Auth0? (we use Ionic). It sounds like they will be shutting down our app on 3/1 if we don’t take action.

Here is part of the email:

Please make the requested changes by 2019-03-01 at 12:00 PST.

Let us know when you’ve updated your app by replying to this email. If we do not hear back from you, your app will be subject to enforcement. If you have outstanding questions, respond here and we’ll do our best to help.

Hey there everyone!

I’ve had a quick chat with our product team and here’s what I want to share:

Facebook's policy is designed to afford protection from insecure login practices but currently does not account for secure identity platform services like Auth0. We are currently exploring options to afford either continued use as-is (no changes) or an alternate approach.

I’ll let you know once I have news to share!

Hi @konrad.sopala ,

I’m facing this issue as well, and have also required HTTPS for Facebook Login. I’ve been given a deadline by Facebook to meet this in about a week’s time, and wanted to know if the message you shared above came from Facebook, or if it was written by your product team. If it was written by Facebook, I could reference their position in my response to Facebook. Please let me know.

When we sent Facebook our reply (up in the first post), they extended the deadline to “soon”. We still haven’t changed anything, and our app is still working. They seem to be fairly flexible about this, as long as you engage them in conversation about the process.

1 Like

Glad to hear that @dafyd!

@waterdoo the message I shared in my last message is from our product team.

@konrad.sopala Facebook has restricted my app for violating its policies and Facebook Login is no longer working in my production app. I’m using react-native-auth0.

Other apps that rely on react-native-auth0 are bound to run into this soon as well. Please escalate this to your product team as I’ve been communicating with Facebook about my case, and it appears that doing so still did not prevent the restriction.

Hey @waterdoo!

Thank you a lot for reporting that. Already escalated it to our product team. Super sorry this inconvenience. I’ll do my best to get any info from the team as soon as possible. Please also contact me via DM and send me your tenant name and email.

Thank you and sorry for the inconvenience!