Hello everyone,
Today, Facebook issued the message below to developers.
Our project, and I'm sure a ton of others, are using Keycloak as their platform's Identity and Authentication solution. As such, it is part of our mobile Apps, including our Android App. Usually, this is done through a webview. When using the facebook identity provider, the login webview currently redirects to facebook for the authentication. As explained by Facebook, this will stop working on October 5, 2021. In order to avoid what would be a pretty major disruption of our and others' services, a solution to this issue will have to be found, implemented and rolled out before that date.
I don't really have an idea at hand right now, but since this will likely affect a lot of Keycloak users I wanted to bring this to your attention as early as possible so if someone from the KC team has an idea for a solution, it can already be discussed.
Best regards,
Mike
Here's Facebook's original message:
___________________________________
Follow these steps to prevent a disrupted user experience
We’ve been monitoring an increase in phishing attempts on Android embedded browsers, also known as WebViews. Because of this, we will no longer support this method of Facebook Login and your users will not be able to log in using Android embedded browsers beginning October 5, 2021. Until then, we will continue to prevent access to Facebook Login on embedded browsers for certain users we deem high-risk in an effort to prevent malicious activity.
To avoid a disrupted user experience, please use the following checklist:
- Ensure that you have upgraded to version 8.2.0 (or later) of the Facebook SDK for Android. If your app is built to target Android 11 (API level 30) and your users are on Android 11, alternative non-webview login mechanisms provided by the SDK will not work unless you upgrade to or past 8.2.0.
Ensure that your app has configured support for Custom Tabs properly. (Not sure what Custom Tabs are? Check
here.) To test this, ensure that you have a browser compatible with Custom Tabs (example browsers that support Custom Tabs include Chrome, Samsung Browser, etc). Next, delete the Facebook app from your device if you have it installed. Finally, login from your app. You should see a window open in the external browser rather than in a native WebDialog.
If you do not see an external browser launch, follow these instructions:
Option 1:
Ensure your app is using version 8.2.0 or later of the Facebook SDK for Android. If so, you should not need to make any modifications to your Android manifest. If you have any items referencing “CustomTabMainActivity” or “CustomTabActivity”, remove them.
Option 2:
Configure your Custom Tabs intent filter exactly following the instructions
here.
Try Option 1 first and then use Option 2 if Option 1 does not work after testing. There may be cases where we cannot automatically configure your intent filter because of mismatches between the
defined ${applicationId} constant and your package name.
- If you have already completed steps 1-3 and have released your app to users, users who are on older versions of your application will see an error message when they attempt to login from a webview, prompting them to upgrade to the newest version of your application. If you have mechanisms to force auto-upgrades for existing installations of your application or to prompt your users to upgrade, we encourage you to use them to limit affected users.
- If your app is used primarily on devices which are unable to host the login experience in an external browser, we encourage you to integrate Device Login as an alternative login mechanism.