feat(token): add access_token grant for signing in with a Facebook access token#2609
Open
spydon wants to merge 1 commit into
Open
feat(token): add access_token grant for signing in with a Facebook access token#2609spydon wants to merge 1 commit into
spydon wants to merge 1 commit into
Conversation
This was referenced Jul 2, 2026
This was referenced Jul 3, 2026
5dc0147 to
1d3f849
Compare
1d3f849 to
16f15c6
Compare
…cess token Facebook's native Android login reliably returns a classic Graph access token on every login, but only mints an OIDC id token (AuthenticationToken) on the first authorization, which makes the id_token grant unusable for repeat native logins without falling back to the browser flow. Add an access_token grant that accepts a provider-issued access token, verifies via Facebook's /debug_token that it was issued for this app, is valid, and is a user token (mitigating access token substitution), fetches the profile and issues a session. The grant is only available to providers that implement the new AccessTokenVerifier interface, which for now is Facebook only.
16f15c6 to
39ea58a
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Adds a new
access_tokengrant toPOST /tokenthat lets a client sign in with a provider-issued OAuth access token instead of an OIDC id token. Initially wired up for Facebook only.Why
Driven by native Facebook login on Android (supabase/supabase-flutter#1287). Investigation established that native Android cannot produce an OIDC id token for the common case, so the existing
id_tokengrant is a dead end there. Exchanging the classic access token server-side is the mainstream solution.Findings
id_tokenis the web Code Flow with PKCE, i.e. the browser flow (signInWithOAuth).LoginConfiguration, Facebook mints anAuthenticationTokenonly on the first authorization; every subsequent login returns a classic access token withauthenticationToken == null(confirmed on device across Android versions, and traced through facebook-android-sdk 18.x — the instant get-token handler wins and no native handler mints an id token on a cached grant). See Facebook Login - Obtain null Authentication token facebook/facebook-android-sdk#1132.FacebookAuthProvider.getCredential(accessToken); Auth0 does a server-side token exchange of the Facebook access token. Neither relies on a native id token.Net: iOS keeps using
id_token(Limited Login); Android uses this newaccess_tokengrant.How
AccessTokenGranthandler (grant_type=access_token): resolves the provider, confirms it's enabled, verifies the token, fetches the profile via the existingGetUserData, then creates/links the account and issues a session, reusing the same path asIdTokenGrant.facebookProvider.VerifyAccessTokencalls Facebook's/debug_tokenwith the app access token and rejects the request unless the tokenis_validand itsapp_idmatches this app's client id. This mitigates access-token substitution (a token minted for a different Facebook app being replayed against this one).provider.AccessTokenVerifierinterface, so today onlyfacebookis accepted; other providers get a clear 400.Tests
internal/api/token_access_token_test.go: success, token issued for another app (rejected), invalid token (rejected), missing token, and an unsupported provider. All pass against Postgres.Follow-ups (separate PRs)
VerifyAccessToken(currently checks the primary), and consider generalizing the grant to other providers that can verify token audience.