Back to News for Developers

iOS and Android: Single Sign-On Best Practices

January 26, 2012ByAryeh Selekman

Over a year ago, we introduced Single Sign-On (SSO) for Android and iOS. Today, more than 350 million active users currently access Facebook through their mobile devices. Users logged into the Facebook for iOS or Facebook for Android app can use the “Login with Facebook” button and, in one-click through a permissions dialog, login to your app. This saves users from typing in an e-mail address and password for apps that require registered users. Since the launch of SSO, developers implementing it in their apps have enjoyed increased user registrations and access to the Graph API to build in-app social experiences.

SSO Product Update

We have made significant stability and performance improvements in SSO as well as making it a core part of enabling Social Mobile App Discovery that we announced last October. In addition, we created a simpler authentication flow for users who have already authenticated your app. If a user has previously given your app the requested permissions, SSO will immediately pass an OAuth 2 access token back to your app. For example, if you already have a connected Facebook user on your website or canvas app, users will be able to login faster into your mobile native apps.

Pro-tip 1: Include Facebook Login at User Registration

Apps will often only use SSO and Facebook Login when asking the user to enable Facebook features in the app. You should also include Facebook Login anywhere you prompt the user to Register for your app, often times when users launch your app for the first time. Users can enjoy a simplified registration process, and you can request the same information, such as e-mail address, that you would normally collect manually from the user.

Pro-tip 2: Store the user’s session in your app

After your user authenticates for the first time, you should immediately store the authentication result locally. This way, you can keep the user logged-in to your app without having the user re-authenticate each time. Here are some Android and iOS Code samples that demonstrate how you can easily do this in your app:

iOS Example:
In the fbDidLogin delegate method, when the user has logged in via SSO, save the session:

- (void)fbDidLogin {
  NSUserDefaults *defaults = [NSUserDefaults standardUserDefaults];
  [defaults setObject:[facebook accessToken] forKey:@"FBAccessTokenKey"];
  [defaults setObject:[facebook expirationDate] forKey:@"FBExpirationDateKey"];
  [defaults synchronize];

Then, when your app starts in the future, set the accessToken and expirationDate in your Facebook object if they exists:

NSUserDefaults *defaults = [NSUserDefaults standardUserDefaults];
if ([defaults objectForKey:@"FBAccessTokenKey"]
  && [defaults objectForKey:@"FBExpirationDateKey"]) {
  facebook.accessToken = [defaults objectForKey:@"FBAccessTokenKey"];
  facebook.expirationDate = [defaults objectForKey:@"FBExpirationDateKey"];

Android Example:
When the user has logged in via SSO, save the session:

Editor editor = context.getSharedPreferences("facebook-session", 
editor.putString("access_token", session.getAccessToken());
editor.putLong("expires_in", session.getAccessExpires());

When you app starts, in onCreate, restore the session if it exists:

SharedPreferences savedSession = context.getSharedPreferences
session.setAccessToken(savedSession.getString("access_token", null));
session.setAccessExpires(savedSession.getLong("expires_in", 0));

Pro-tip 3: Request only the permissions your app needs

We have streamlined the SSO permissions dialog, along with all permission dialogs in our recently announced Improved Auth Dialog. You should only request the permissions you need to get the user registered and using your app’s social features.

As part of our ongoing efforts to improve privacy protections for Facebook users, we've deprecated the 'offline_access' permission. Instead, you now have the option to extend the expiration of existing, valid access tokens for a limited amount of time without requiring the user to login again. Learn more about upgrading access tokens. Also, many apps incorrectly ask for 'publish_stream' when using our Feed Dialog. Your app only needs 'publish_stream' if it will be publishing to the user’s feed programmatically with the Graph API.

Pro-tip 4: Complete all iOS and Android Fields in your App Settings

Be sure to fill out every field related to your app in your app settings in the Native iOS App and the Native Android App fields. You can access these app settings for your app here. On iOS, If these fields are not configured, we will not be able to drive traffic to your app or the iOS App Store. In addition, we use the iOS Bundle ID to streamline authentication for users who have already authenticated your app.

In the coming weeks, we will be posting additional best practices for leveraging the Facebook Platform in iOS and Android Apps. Implementing SSO is the first step to taking advantage of improved distribution and engagement with the Facebook Platform in these environments.

Get started with our step-by-step documentation and sample code available in the iOS Getting Started and Android Getting Started guides.