Deprecating Facebook Login support on Android WebViews

Question

Deprecating Facebook Login support on Android WebViews

rafalzawadzki opened this issue 3 years ago · 4 comments

Beginning October 5, 2021, Facebook Login will no longer support using Android embedded browsers (WebViews) for logging in users.

Does this mean that Instagram login using this library will be affected?

Answer 1 · 2021-09-10T09:12:59.000Z

@rafalzawadzki no, react-native-instagram-login doesnt use webview from react native. It used WebView from react-native-webview. so it's not affected.

Answer 2 · 2021-09-10T10:18:43.000Z

@hungdev if I understand correctly, it does not matter where the WebView comes from - all embedded browsers are supposed to be blocked. And react-native-webview also uses WebView internally.

This seems to be a general initiative because of security issues related to embedded browsers - eg. here's a more elaborate explanation by Google who will disallow OAuth by the end of this month. Their "browser policy" states:

A developer must not direct a Google OAuth 2.0 authorization request to an embedded user-agent under the developer's control. Embedded user-agents include, but are not limited to, software libraries that allow a developer to insert arbitrary scripts, alter the default routing of a request to the Google OAuth server, or access session cookies.

Nevertheless, it's not clear how exactly Facebook will recognize that a request comes from an embedded browser (headers etc), but from my understanding seems like this library might be affected. @hungdev could you elaborate on why exactly the WebView from react-native-webview should still work compared to WebView from RN?

Answer 3 · 2021-09-10T11:00:40.000Z

@rafalzawadzki sorry, i misunderstood you. I thought where the problem came from webview of rn or react-native-webview.
And about the library will be affected? I'm not sure if it will be affected or not.
The first one: Fb login doesnt support on android webview because they already has sdk fb login, and instagram doesnt. So i think we can still use the login api via webview, and fb still supports that.
Second one is we don't request to the Google OAuth server, we request api to fb, so i think it's not related to google.
In the end, I'm not sure about that.

Answer 4 · 2021-10-16T03:10:55.000Z

facebook prevent login from embedded browsers and we can't login instagram by facebook button