Limited Login FAQ

In response to the upcoming changes to ATT enforcement, we made changes to the iOS SDK and the SDK no longer provides valid user access tokens in scenarios where the user opts out of ATT. The access token validation or Graph API requests may throw errors like OAuthException - “Invalid OAuth access token - Cannot parse access token”. Our recommendation is that users integrate Limited Login following the official documentation:

• Limited Login for iOS
• Limited Login for Unity

When users opt out of ATT, all Facebook Login traffic will be performed on the Limited Login domain. Limited Login does not support business permissions. Our recommendation is that developers integrate Limited Login following the official documentation. See limited login supported permissions in this document.

When users opt out of ATT, all Facebook Login traffic will be performed on the limited login domain via the in-app browser. Limited Login does not support fast app switch (that is, redirecting to fb app to login). See limitations section of the Limited Login for iOS document.

Please see the official documentation, Validating the Limited Login OIDC Token.

Please see key considerations for user_friends with Limited Login in the Permissions in Limited Login document.

We made changes both to the iOS SDK and our core login systems to support the privacy manifest requirements based on the upcoming App Transparency Tracking enforcement so that iOS users who have opted out of ATT are able to use FBLogin. As a result, we do not plan to release the privacy manifest as part of a minor update.

执行受限登录后，系统会对您的用户进行身份验证并填充一个身份验证口令的共享实例。然后会使用身份验证调用中的其他信息填充共享的用户个人信息实例中的基本字段。

图谱请求将失败，因为没有访问口令。要获得访问口令，请重新使用传统登录方法（默认启用追踪），或调用 FBSDKLoginManagerlogInFromViewController:configuration:completion:，并对其进行配置，指明追踪已启用。请注意，执行此操作时，用户会受到追踪。

To access the Graph API, you need an access token. Either reuse the classic login method (defaults tracking to enabled), or call FBSDKLoginManager logInFromViewController:configuration:completion: with a configuration that specifies that tracking is enabled. This will allow you obtain an access token that can be used for Graph API calls. Be aware that when you do this, users are tracked. Be aware that Limited Login safeguards are not supported in this context.

When you use Limited Login to request user_friends from a user, we provide you with a list of app scoped IDs (ASIDs) associated with the friends of the authorizing user, if the friends have also granted your app the user_friends permission. Depending on how you have implemented Limited Login, some of the ASIDs on this list may represent other users that have connected to your app using Limited Login. To ensure that Limited Login safeguards are maintained for such users, do not make Graph API calls using their ASIDs. Instead, continue to rely on Limited Login for these users.

是。新增了两个公有属性：

• loginTracking，可用于获取或设置进行登录尝试时所需的追踪首选项。默认为 .enabled。

• nonce，可用于获取或设置进行登录尝试时所用的可选随机数。有效的随机数必须为不带空格的非空字符串。请注意：无效的随机数将不会被设置。系统会改为使用默认的独立随机数进行登录尝试。

从用户角度来看，没有变化。从原理来看，受限登录会将当前的 AuthenticationToken、AccessToken 和 Profile 设置为 nil。

受限登录目前不可用于 tvOS。

否。由于我们将在 SDK v9.0 中弃用 React Native SDK，因此我们没有开发适用于该 SDK 的受限登录。详情请参阅 React Native 文档。

There is no impact to existing logged in users from adopting Limited Login in your app. If you would like to take advantage of Limited Login safeguards for existing, logged-in users, you must log them out by so they can log back in with Limited Login.

否。受限登录标记只对指定设备有效。

您可以通过邮件和/或 ASID 协调这些用户。

否。fb_login_id 会依然存在于受限登录模式中。而用户访问口令（独立实体）则会在受限登录模式中被交换为 OIDC 口令。

受限登录模式仅支持基本个人信息（名称和照片）和邮件权限。如果您的应用需要公司权限，则无法使用受限登录来请求这些权限。但是，您的用户可以通过以下方式在传统登录中授予公司权限：

• 通过网页登录到您的应用。
• 在传统登录模式下通过 iOS 登录到您的应用。
• 通过 Android 登录到您的应用。

Yes, but this will require the use of an app access token to request the token_for_business field on the User node. Limited Login safeguards are not supported in this context. For apps that are associated with your business by means of Business Manager, you can use the app-scoped ID (ASID) included in the OIDC token returned after a successful login to get a unique string for a user. Using your app's app access token, request the token_for_business field on the User node and pass in the user's app-scoped ID. This call returns a string which is the same for this user across all the apps managed by the same Business Manager.

GET /ASID?fields=token_for_business

This returns the values.

{
  "id": "1234567890"
  "token_for_business": "weg23ro87gfewblwjef"
}

Usage notes:

• The person being queried must have logged into this app.
• If the owning business changes, the value of token_for_business will also change
• If you request the token_for_business field and the app is not associated with a Business Manager, the call returns an error.
• The value returned by token_for_business is a token, not an ID - it cannot be used directly against the Graph API to access a person's information. You should still store the ID in your database.