Open
Conversation
The current documentation and examples instruct users to pass `result.accessToken!.tokenString` as the `idToken` parameter to `signInWithIdToken` for Facebook login. However, for `ClassicToken`, `tokenString` contains the Graph API access token instead of an OIDC ID token, resulting in the Supabase GoTrue backend throwing a "Bad ID token" error (because it only supports Facebook Limited Login JWTs). This commit updates the `README.md` to properly handle `flutter_facebook_auth`'s `ClassicToken` and `LimitedToken` to extract the correct OIDC token (`authenticationToken` or `tokenString` respectively) depending on the configuration (e.g., using `LoginBehavior.webOnly` on Android).
The current documentation does not properly detail how to perform Facebook Native Login using `signInWithIdToken`. Users commonly encounter a "Bad ID token" error from the GoTrue server because they are passing the classic Facebook Graph API access token instead of an OIDC ID token. This commit introduces a "Native Facebook Login" section in `README.md` that: 1. Explains how to use the `flutter_facebook_auth` package correctly. 2. Demonstrates the required `LoginBehavior.webOnly` on Android. 3. Provides logic to safely extract the OIDC ID token (`authenticationToken` for `ClassicToken`, or `tokenString` for `LimitedToken`). 4. Adds a secondary example showing how to use `signInWithOAuth` as an alternative web-based approach for Facebook login.
Author
|
Check this out @dshukertjr |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What kind of change does this PR introduce?
Docs update
What is the current behavior?
Currently, there is no official documentation for Facebook native login using signInWithIdToken in the Flutter SDK. Many developers refer to external tutorials or guess the implementation and mistakenly pass the Facebook Graph API access token (e.g., result.accessToken!.tokenString) as the idToken parameter.
Because the Supabase GoTrue backend strictly expects an OpenID Connect (OIDC) ID token (Facebook Limited Login JWT), passing the Graph API access token throws a 400 Bad ID token error. Furthermore, developers don't know they need to request OIDC tokens by using LoginBehavior.webOnly on Android or extracting the authenticationToken field properly.
Resolves #1287 Resolves #987 (Addresses problems seen in PR #1297)
What is the new behavior?
This PR updates packages/supabase_flutter/README.md to include:
Native Facebook Login Example: A complete, robust example of using the flutter_facebook_auth package to perform native login. It shows how to correctly enforce OIDC token generation (LoginBehavior.webOnly on Android) and how to safely extract the OIDC token by checking if the result is a ClassicToken (extracting authenticationToken) or a LimitedToken (extracting tokenString).
Web-based OAuth Alternative: Adds a secondary snippet showing how to use signInWithOAuth as a simpler web-based fallback if developers choose not to use the native Facebook SDK.
##Additional context
This is a documentation-only update. It provides the necessary context and exact implementation details to avoid backend validation errors related to Facebook's dual-token system (Graph API vs Limited Login OIDC).
The website docs also needs to be updated to reflect this docs.