Facebook Login iOS SDK Authentication Token Has No Signature

Question

Facebook Login iOS SDK Authentication Token Has No Signature

paul-livefront opened this issue 2 months ago · comments

Paul Himes commented 2 months ago

Checklist before submitting a bug report

I've updated to the latest released version of the SDK
I've searched for existing GitHub issues
I've looked for existing answers on Stack Overflow, the Facebook Developer Community Forum and the Facebook Developers Group
I've read the Code of Conduct
This issue is not security related and can safely be disclosed publicly on GitHub

Xcode version

15.3

Facebook iOS SDK version

17.0.2

Dependency Manager

SPM

SDK Framework

Login

Goals

We're attempting to migrate to the Limited Login flow in the latest versions of the iOS SDK. We get back an AuthenticationToken (JWT), but we're unable to validate it because the signature portion of the JWT is always missing/empty.

Expected results

The JWT contained in AuthenticationToken.current?.tokenString after login should have a propertly formatted header, payload, and signature.

Actual results

The JWT contains a header and payload, but the signature is empty.

Steps to reproduce

Login with limited tracking configured.
After the successful login attempt. AuthenticationToken.current?.tokenString has an incomplete JWT value.

Code samples & details

guard let configuration = LoginConfiguration(
    permissions: [.publicProfile, .email],
    tracking: .limited
) else {
    return
}

logIn(viewController: viewController, configuration: configuration) { result in
    switch result {
    case .success:
        // We should now have a valid AuthenticationToken.current?.tokenString.
    default:
        // handle errors
    }
}

Mohammad Abdul Hannan · Answer 1 · Wed Jun 19 2024 00:16:10 GMT+0800 (China Standard Time)

M A Hannan is inviting you to a scheduled Zoom meeting. Topic: [facebook/facebook-ios-sdk] Facebook Login iOS SDK Authentication Token Has No Signature (Issue #2442) Join Zoom Meeting https://us05web.zoom.us/j/85245876546?pwd=X5W5awHdTRq3nNv7L2lNZkZUe4bmbO.1 Meeting ID: 852 4587 6546 Passcode: 580916

briangithex · Answer 2 · Tue Jul 09 2024 21:01:01 GMT+0800 (China Standard Time)

By default, any attempt to print or otherwise display the tokenstring is truncated by XCode. Often, this results in receiving 1.5 to 2.5 of the 3 segments during testing/development.

Ric Santos · Answer 3 · Wed Jul 10 2024 10:21:18 GMT+0800 (China Standard Time)

Any update on this? Is is bad practice to just read the Profile object and send those properties straight to the server to create/login the user?

if let profile = Profile.current {
    print("FB Profile: \(profile.description)")
    print("FB Profile userID: \(profile.userID)")
    print("FB Profile first: \(profile.firstName)")
    print("FB Profile last: \(profile.lastName)")
    print("FB Profile email: \(profile.email)")
}

briangithex · Answer 4 · Thu Jul 11 2024 02:59:26 GMT+0800 (China Standard Time)

Any update on this?

Did you verify it wasn't the truncation issue I mention above? If AuthenticationToken.current?.tokenString is missing the signature but otherwise looks like a valid token, that probably means you're reading it in a way that causes truncation (XCode does this in places you wouldn't expect).

Is is bad practice to just read the Profile object and send those properties straight to the server to create/login the user?

Yes, this is very bad practice. With this approach, it would be possible to maliciously pose as another user. Further, a compromised user account's login will not properly "expire" after it is recovered, since this data is replayable due to having neither a timestamp nor a signature (nor a nonce). The client-side profile information should be treated the same as any other user-supplied information: Useful in places where you'd trust the user or where the attacker is attacking themselves (e.g., "Welcome back, [First] [Last]" messages).