Till 3 days ago, our login service was working fine. Now its broken by a unknown problem with Facebook oAuth.
Our app (built with React Native using native FBSDK), ask for Facebook for an Access Token and forward it to our API.
LoginManager.logInWithReadPermissions(['public_profile', 'email'])
Then, our API try to validate the token against Facebook Graph API. Basically we do this:
public static function getInformationFromFacebook($accessToken)
{
$facebook = new Facebook([
'app_id' => config('services.facebook.app_id'),
'app_secret' => config('services.facebook.app_secret'),
'default_graph_version' => config('services.facebook.default_graph_version'),
]);
try {
$response = $facebook
->get('/me?fields=first_name,last_name,email,picture.type(large)', $accessToken);
} catch (FacebookResponseException $e) {
Log::error(sprintf('Graph returned an error: %s', $e->getMessage()));
throw new \Exception("Facebook graph error.");
} catch (FacebookSDKException $e) {
Log::error(sprintf('Facebook SDK returned an error: %s', $e->getMessage()));
throw new \Exception("Facebook SDK error.");
}
$graph = $response->getGraphUser();
return [
'first_name' => $graph->getFirstName(),
'last_name' => $graph->getLastName(),
'email_address' => $graph->getEmail(),
'picture' => $graph->getPicture()->getUrl(),
];
}
This piece of code uses Laravel 5.2 running with PHP 7.2 with the native Facebook SDK.
The expected behavior is an array with the user data, but it only works at local environment, when we try to debug this on staging server, the scopes from the user's access token are lost.
We discovered that we scopes are lost using this Facebook debug tool
// The OAuth 2.0 client handler helps us manage access tokens
$oAuth2Client = $facebook->getOAuth2Client();
// Get the access token metadata from /debug_token
$tokenMetadata = $oAuth2Client->debugToken($accessToken);
echo '<h3>Metadata</h3>';
var_dump($tokenMetadata);die;
Basically, when we're at the local the scopes are
'scopes' =>
array (size=2)
0 => string 'email' (length=5)
1 => string 'public_profile' (length=14)
when we change the call to the staging environment, the result is
["scopes"]=>
array(0) {
}
We tried all kind of things, even updating our SDK.