Solution for Facebook Login changes as of October 5, 2021

[Mike Meessen]

Hello everyone,

Today, Facebook issued the message below to developers. 

Our project, and I'm sure a ton of others, are using Keycloak as their platform's Identity and Authentication solution. As such, it is part of our mobile Apps, including our Android App. Usually, this is done through a webview. When using the facebook identity provider, the login webview currently redirects to facebook for the authentication. As explained by Facebook, this will stop working on October 5, 2021. In order to avoid what would be a pretty major disruption of our and others' services, a solution to this issue will have to be found, implemented and rolled out before that date.

I don't really have an idea at hand right now, but since this will likely affect a lot of Keycloak users I wanted to bring this to your attention as early as possible so if someone from the KC team has an idea for a solution, it can already be discussed.

For reference, I also created a ticket for this:
https://issues.redhat.com/browse/KEYCLOAK-19093

Best regards,

Mike

Here's Facebook's original message:

___________________________________
Follow these steps to prevent a disrupted user experience

We’ve been monitoring an increase in phishing attempts on Android embedded browsers, also known as WebViews. Because of this, we will no longer support this method of Facebook Login and your users will not be able to log in using Android embedded browsers beginning October 5, 2021. Until then, we will continue to prevent access to Facebook Login on embedded browsers for certain users we deem high-risk in an effort to prevent malicious activity.

To avoid a disrupted user experience, please use the following checklist:

1. Ensure that you have upgraded to version 8.2.0 (or later) of the Facebook SDK for Android. If your app is built to target Android 11 (API level 30) and your users are on Android 11, alternative non-webview login mechanisms provided by the SDK will not work unless you upgrade to or past 8.2.0.
Ensure that you are NOT setting LoginBehavior=WEB_VIEW_ONLY.
2. Ensure that your app has configured support for Custom Tabs properly. (Not sure what Custom Tabs are? Check here.) To test this, ensure that you have a browser compatible with Custom Tabs (example browsers that support Custom Tabs include Chrome, Samsung Browser, etc). Next, delete the Facebook app from your device if you have it installed. Finally, login from your app. You should see a window open in the external browser rather than in a native WebDialog.
   If you do not see an external browser launch, follow these instructions:
   Option 1:
   Ensure your app is using version 8.2.0 or later of the Facebook SDK for Android. If so, you should not need to make any modifications to your Android manifest. If you have any items referencing “CustomTabMainActivity” or “CustomTabActivity”, remove them.
   Option 2:
   Configure your Custom Tabs intent filter exactly following the instructions here.
   Try Option 1 first and then use Option 2 if Option 1 does not work after testing. There may be cases where we cannot automatically configure your intent filter because of mismatches between the defined ${applicationId} constant and your package name.
3. If you have already completed steps 1-3 and have released your app to users, users who are on older versions of your application will see an error message when they attempt to login from a webview, prompting them to upgrade to the newest version of your application. If you have mechanisms to force auto-upgrades for existing installations of your application or to prompt your users to upgrade, we encourage you to use them to limit affected users.
4. If your app is used primarily on devices which are unable to host the login experience in an external browser, we encourage you to integrate Device Login as an alternative login mechanism.

[Václav Muzikář]

Hello,

thanks for bringing this up. This probably requires a deeper investigation, however it's worth mentioning that Keycloak doesn't use any Facebook SDK. It uses plain Facebook Login functionality (basically just OAuth) for identity brokering. Embedded browser is used in case of Cordova apps. But I'm not sure if this would be affected by this change.

--
You received this message because you are subscribed to the Google Groups "Keycloak Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-dev...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-dev/e5eb45ac-9f95-4970-8eb3-106aa7073d03n%40googlegroups.com.

--

Václav Muzikář
Senior Software Engineer
Keycloak / Red Hat Single Sign-On
Red Hat Czech s.r.o.

[Stian Thorgersen]

This all depends on what Facebook is actually going to block. Is it just using the Facebook SDK with webview directly? If so then it shouldn't affect folks using Keycloak with a webview. However, if they are somehow detect (can they?) if the login is going through a webview then it could break things. However, we should also not advocate using a webview, and already have support in keycloak.js to do things properly.

To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-dev/CAMQSZygBufq1upaSvrCQFA8taY5kxCk3n520J6COVxiNnNWf2g%40mail.gmail.com.

[Mike Meessen]

Let me report an update here: in October of this year, our FB Login has stopped working on Android. So yes, it seems they detect that login is going through a WebView and they do actively block it. Even worse: our FB App is under review now and they threaten to completely disable it (including iOS and Web platforms) because of this.

We currently are using keycloak.js inside an Angular web application. We then package that into a Cordova App. Is there anything we can do to make FB Login work on Android in this constellation again? Is there maybe a guide or blog post about the subject we missed?

Best regards,

Mike

[Stian Thorgersen]

Take a look at https://www.keycloak.org/docs/latest/securing_apps/index.html#hybrid-apps-with-cordova - specifically cordova-native

To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-dev/3989c8b4-27b0-4213-88ef-322087f22949n%40googlegroups.com.