fix: Facebook Limited Login not workind due to incorrect domain in JWT validation #9120
Conversation
Thanks for opening this pull request! |
|
This is my first time contributing to the project so please bear with me. I have testing logging in with Facebook using an older version of my app without installing the latest Parse SDKs and Facebook SDK. I'm actually testing with the older |
|
Sure, if you look at the CI there are 7 tests failing with this change. Surprisingly, there are already tests for FB limited login, some of which are failing now. This PR is only for Parse Server, so this is independent of the Parse iOS SDK. Could you take a look? It seems that limited login was already supported, but I'm not sure about the implementation. |
|
@mtrezza Yes seems like it, and we needed to change the host to |
What do the FB docs say? I assume the exact URL must be documented there? Any references? |
|
I wasn't able to find documentation about this yet, it's just a fix that worked. Their documentation seems to suggest using |
|
@chriscborg Yes there's no official documentation, but from what I can see both urls https://www.facebook.com/.well-known/oauth/openid/jwks/ and https://limited.facebook.com/.well-known/oauth/openid/jwks/ work without any redirection. |
|
@SebC99 thank you for checking. Do you know if we should be using limited.facebook.com for a more accurate implementation? Not sure if functionality offered is different. |
|
I currently haven't any JWT token from facebook to test if the validation of the token works with the limited subdomain. I know it works with www as it's what we have in production. |
|
I would suggest the opposite: dare to use We could of course change the adapter to use If you think the suggestion of 2 separate domains make sense, please feel free to go ahead and change this PR and #9122; otherwise we can just go ahead and merge as is. |
|
In our case, using |
|
So let's go ahead with the PR and merge as is. Thanks for testing this out. |
mtrezza
changed the title
mtrezza
merged commit 0e92f76
into
parse-community:release-6.x.x
## [6.5.6](6.5.5...6.5.6) (2024-05-16) ### Bug Fixes * Facebook Limited Login not workind due to incorrect domain in JWT validation ([#9120](#9120)) ([0e92f76](0e92f76))
|
🎉 This change has been released in version 6.5.6 |
|
For reference, FB published this related to "Limited Login" endpoints:
Not sure if that warrants another PR where we use a different URL depending on the token type, as mentioned in #9120 (comment), since it seems to be working as is. |
Pull Request
Issue
Add support for Facebook auth JWT token #9117
Closes: #9117
Approach
A JWT token validation implementation seems to be already in place, however the host needs to be changed from facebook.com to www.facebook.com as suggested by @SebC99, because the old host is returning error 301 which is not followed by the jwt-rsa package.
Tasks