Two factor authentication required. User have to enter a code from SMS or TOTP code generator to pass 2fac.

Question

Two factor authentication required. User have to enter a code from SMS or TOTP code generator to pass 2fac.

Denalda-lab opened this issue 8 months ago · comments

Which SDK version are you using?

    <dependency>
        <groupId>com.facebook.business.sdk</groupId>
        <artifactId>facebook-java-business-sdk</artifactId>
        <version>18.0.2</version>
    </dependency>

What's the issue?

I am trying to generate an access token for admin user system with id 100034358611019. Instead of returning the access token I get an error response related with 2FA:

{
"error": {
"message": "Two factor authentication required. User have to enter a code from SMS or TOTP code generator to pass 2fac. This could happen when accessing a 2fac-protected asset like a page that is owned by a 2fac-protected business manager.",
"type": "OAuthException",
"code": 415,
"error_data": {
"hash": "8874359819718335175"
},
"error_subcode": 2859009,
"is_transient": false,
"error_user_title": "Two-factor authentication required",
"error_user_msg": "To continue working in your account, please refresh this page to authenticate. Or navigate to the business settings page and authenticate when prompted.",
"fbtrace_id": "AwfkZm6RouSgmnWYNFln2q1"
}
}

Steps/Sample code to reproduce the issue

User is redirected to facebook login form and enters his credentials
User is redirected to the form that requires verification code to continue
User gets the verification code
User enters the verification code to the form
User is logged in successfully and he is able to navigate to the app.
User is trying to generate an access token for an admin system user like below:

new User.APIRequestCreateAccessToken("100034358611019", FacebookUtil.createApiContext(accessToken))
.setBusinessApp("2990249911190581")
.setScope("business_management").execute();

And gets the error message:
Two factor authentication required. User have to enter a code from SMS or TOTP code generator to pass 2fac. This could happen when accessing a 2fac-protected asset like a page that is owned by a 2fac-protected business manager. To continue working in your account, please refresh this page to authenticate. Or navigate to the business settings page and authenticate when prompted.

Expected Results:

Can somebody tell me what's the problem behind this?

Where is supposed to enter the code?
What should I refresh in a mobile app?
Should I handle 2FA by my own programmatically?

Shuotian Cheng · Answer 1 · Fri Oct 27 2023 01:33:19 GMT+0800 (China Standard Time)

This happens due to an enforcement on requiring 2fa on generating system user tokens. Right now the only workaround for developers is to generate the access token from the UI: https://business.facebook.com/settings/system-users or you could try to generate access tokens on non system users.

Denalda-lab · Answer 2 · Mon Oct 30 2023 18:41:03 GMT+0800 (China Standard Time)

Hello @stcheng

Thank you for the response.

I can not use an access token of a non system user. I want to invite a user to an existing facebook business account:

        new Business.APIRequestCreateBusinessUser("181431399044864",FacebookUtil.createApiContext(request.getAccessToken()))
                .setEmail("test@gmail.com")
                .setRole(BusinessUser.EnumRole.VALUE_EMPLOYEE)
                .execute();

but it returns me:

{
"error": {
"message": "Application does not have permission for this action",
"type": "OAuthException",
"code": 10,
"error_data": {
"hash": null
},
"error_subcode": 2859030,
"is_transient": false,
"error_user_title": "This Action Is Not Allowed",
"error_user_msg": "Please retry this action in a few minutes",
"fbtrace_id": "AsErZRmD617WCt9yYFZkUZR"
}
}

My App and the access token I am using have the right permission to execute this action. My app has business_management permission (advanced access) and my user has an administrative role, which means I am able to invite the exact new user to the same business manager via facebook ui.

After some investigations I figured out that I can successfully execute the action if using an admin system user access token instead. Now I need to generate a system user access token programmatically.

Shuotian Cheng · Answer 3 · Wed Nov 01 2023 00:31:21 GMT+0800 (China Standard Time)

@Denalda-lab right now we do not provide an official way to generate system user access tokens programmatically. thanks for understanding.

Denalda-lab · Answer 4 · Wed Nov 01 2023 18:09:23 GMT+0800 (China Standard Time)

Thank you for the response @stcheng!

My last tentative: Is it any way to invite a user to join a business account by using an admin access token instead of an admin system user access token?

As I have mentioned above I try to make a call as below:

    new Business.APIRequestCreateBusinessUser("181431399044864",FacebookUtil.createApiContext(request.getAccessToken()))
            .setEmail("test@gmail.com")
            .setRole(BusinessUser.EnumRole.VALUE_EMPLOYEE)
            .execute();

My app has business_management permission (advanced access) and my user has an administrative role.

As a response I get:

{
"error": {
"message": "Application does not have permission for this action",
"type": "OAuthException",
"code": 10,
"error_data": {
"hash": null
},
"error_subcode": 2859030,
"is_transient": false,
"error_user_title": "This Action Is Not Allowed",
"error_user_msg": "Please retry this action in a few minutes",
"fbtrace_id": "AsErZRmD617WCt9yYFZkUZR"
}
}