Add Facebook Limited Login Support for iOS (#2046)

## What kind of change does this PR introduce?

This PR adds support for [Facebook Limited
Login](https://developers.facebook.com/docs/facebook-login/limited-login/)
JWT (iOS only) to the `/token?grant_type=id_token` endpoint. This
enables iOS apps using Facebook's Limited Login feature to authenticate
with Supabase without requiring web browser redirects.

## What is the current behavior?

Currently, the `/token?grant_type=id_token` endpoint does not support
Facebook as a provider. When iOS apps using Facebook Limited Login try
to authenticate with their JWT, they receive a `Bad ID token` error
because Facebook's JWT structure is not recognized by the generic OIDC
parser. This is already raised by users in
#1522 as well.

## What is the new behavior?

- iOS apps can now authenticate using Facebook Limited Login JWT via
`signInWithIdToken()` function on the client side
  - Facebook JWT are properly parsed and validated
- End users can authenticate on iOS even if they dont allow tracking
([ATT](https://developer.apple.com/documentation/apptrackingtransparency))

## Additional context

Important: Android Platform Limitations

This implementation only supports iOS Facebook Limited Login. Android
developers must continue using the standard OAuth flow
(`signInWithOAuth()`) with web browser redirects.

Why Android is not supported in this PR:

1. Fundamental Token Differences:
- iOS: Facebook Limited Login provides self-contained JWT ID tokens that
follow OIDC standards
- Android: Facebook SDK only provides opaque access tokens (random
strings, not JWTs)
2. Validation Requirements:
- iOS JW: Can be validated using standard OIDC/JWKS (already handled by
our infrastructure)
- Android access tokens: Require calling Facebook Graph API for
validation
3. Architectural Considerations:
- The /token?grant_type=id_token endpoint is designed specifically for
OIDC-compliant JWT
- Adding Graph API validation for Android access tokens would be out of
scope and violate the endpoint's single responsibility
- It would essentially make this an "id_token OR access_token" endpoint,
which breaks the grant type semantics

WIP: Tests in `oidc_test.go` will be added.

Author: cemalkilic

example.env

@@ -83,6 +83,7 @@ GOTRUE_EXTERNAL_FACEBOOK_ENABLED="false"
 GOTRUE_EXTERNAL_FACEBOOK_CLIENT_ID=""
 GOTRUE_EXTERNAL_FACEBOOK_SECRET=""
 GOTRUE_EXTERNAL_FACEBOOK_REDIRECT_URI="https://localhost:9999/callback"
+GOTRUE_EXTERNAL_FACEBOOK_SKIP_NONCE_CHECK=true
 
 # Figma OAuth config
 GOTRUE_EXTERNAL_FIGMA_ENABLED="false"

internal/api/provider/oidc.go

@@ -61,6 +61,9 @@ func ParseIDToken(ctx context.Context, provider *oidc.Provider, config *oidc.Con
 		token, data, err = parseKakaoIDToken(token)
 	case IssuerVercelMarketplace:
 		token, data, err = parseVercelMarketplaceIDToken(token)
+	case IssuerFacebook:
+		// Handle only Facebook Limited Login JWT, NOT Facebook Access Token
+		token, data, err = parseFacebookIDToken(token)
 	default:
 		if IsAzureIssuer(token.Issuer) {
 			token, data, err = parseAzureIDToken(token)
@@ -121,6 +124,44 @@ func parseGoogleIDToken(token *oidc.IDToken) (*oidc.IDToken, *UserProvidedData,
 	return token, &data, nil
 }
 
+// FacebookIDTokenClaims represents the claims in a Facebook Limited Login ID token
+type FacebookIDTokenClaims struct {
+	jwt.RegisteredClaims
+	Email   string `json:"email"`
+	Name    string `json:"name"`
+	Picture string `json:"picture"`
+	Nonce   string `json:"nonce,omitempty"`
+}
+
+func parseFacebookIDToken(token *oidc.IDToken) (*oidc.IDToken, *UserProvidedData, error) {
+	var claims FacebookIDTokenClaims
+	if err := token.Claims(&claims); err != nil {
+		return nil, nil, err
+	}
+
+	var data UserProvidedData
+
+	if claims.Email != "" {
+		data.Emails = append(data.Emails, Email{
+			Email:    claims.Email,
+			Verified: true, // Facebook Limited Login emails are always verified
+			Primary:  true,
+		})
+	}
+
+	data.Metadata = &Claims{
+		Issuer:        token.Issuer,
+		Subject:       token.Subject,
+		Name:          claims.Name,
+		Picture:       claims.Picture,
+		ProviderId:    token.Subject,
+		Email:         claims.Email,
+		EmailVerified: claims.Email != "",
+	}
+
+	return token, &data, nil
+}
+
 type AppleIDTokenClaims struct {
 	jwt.RegisteredClaims