supabase / auth / 15683069484
69%

DEFAULT BRANCH: master
Ran
Jobs 1
Files 140
Run time 5min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 69.993% (-0.1%) from 70.114%
15683069484

push

github

web-flow 
Add Facebook Limited Login Support for iOS (#2046)

## What kind of change does this PR introduce?

This PR adds support for [Facebook Limited
Login](https://developers.facebook.com/docs/facebook-login/limited-login/)
JWT (iOS only) to the `/token?grant_type=id_token` endpoint. This
enables iOS apps using Facebook's Limited Login feature to authenticate
with Supabase without requiring web browser redirects.

## What is the current behavior?

Currently, the `/token?grant_type=id_token` endpoint does not support
Facebook as a provider. When iOS apps using Facebook Limited Login try
to authenticate with their JWT, they receive a `Bad ID token` error
because Facebook's JWT structure is not recognized by the generic OIDC
parser. This is already raised by users in
https://github.com/supabase/auth/issues/1522 as well.

## What is the new behavior?

- iOS apps can now authenticate using Facebook Limited Login JWT via
`signInWithIdToken()` function on the client side
  - Facebook JWT are properly parsed and validated
- End users can authenticate on iOS even if they dont allow tracking
([ATT](https://developer.apple.com/documentation/apptrackingtransparency))

## Additional context

Important: Android Platform Limitations

This implementation only supports iOS Facebook Limited Login. Android
developers must continue using the standard OAuth flow
(`signInWithOAuth()`) with web browser redirects.

Why Android is not supported in this PR:

1. Fundamental Token Differences:
- iOS: Facebook Limited Login provides self-contained JWT ID tokens that
follow OIDC standards
- Android: Facebook SDK only provides opaque access tokens (random
strings, not JWTs)
2. Validation Requirements:
- iOS JW: Can be validated using standard OIDC/JWKS (already handled by
our infrastructure)
- Android access tokens: Require calling Facebook Graph API for
validation
3. Architectural Considerations:
- The /token?grant_type=id_token endpoint is designed specifically for
OIDC-compliant JWT
-... (continued)

0 of 28 new or added lines in 1 file covered. (0.0%)

11350 of 16216 relevant lines covered (69.99%)

69.15 hits per line

New Missed Lines in Diff

Lines Coverage File
28
45.95
 -4.8% internal/api/provider/oidc.go
Jobs
ID Job ID Ran Files Coverage
1 15683069484.1 140
69.99
 GitHub Action Run
Source Files on build 15683069484