-
Notifications
You must be signed in to change notification settings - Fork 3.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Facebook Login iOS SDK Authentication Token Has No Signature #2442
Comments
M A Hannan is inviting you to a scheduled Zoom meeting.
Topic: [facebook/facebook-ios-sdk] Facebook Login iOS SDK Authentication
Token Has No Signature (Issue #2442)
Join Zoom Meeting
https://us05web.zoom.us/j/85245876546?pwd=X5W5awHdTRq3nNv7L2lNZkZUe4bmbO.1
Meeting ID: 852 4587 6546
Passcode: 580916
|
By default, any attempt to print or otherwise display the tokenstring is truncated by XCode. Often, this results in receiving 1.5 to 2.5 of the 3 segments during testing/development. |
Any update on this? Is is bad practice to just read the
|
Did you verify it wasn't the truncation issue I mention above? If
Yes, this is very bad practice. With this approach, it would be possible to maliciously pose as another user. Further, a compromised user account's login will not properly "expire" after it is recovered, since this data is replayable due to having neither a timestamp nor a signature (nor a nonce). The client-side profile information should be treated the same as any other user-supplied information: Useful in places where you'd trust the user or where the attacker is attacking themselves (e.g., "Welcome back, [First] [Last]" messages). |
Checklist before submitting a bug report
Xcode version
15.3
Facebook iOS SDK version
17.0.2
Dependency Manager
SPM
SDK Framework
Login
Goals
We're attempting to migrate to the Limited Login flow in the latest versions of the iOS SDK. We get back an AuthenticationToken (JWT), but we're unable to validate it because the signature portion of the JWT is always missing/empty.
Expected results
The JWT contained in
AuthenticationToken.current?.tokenString
after login should have a propertly formatted header, payload, and signature.Actual results
The JWT contains a header and payload, but the signature is empty.
Steps to reproduce
Login with limited tracking configured.
After the successful login attempt.
AuthenticationToken.current?.tokenString
has an incomplete JWT value.Code samples & details
The text was updated successfully, but these errors were encountered: