Support for Facebook Limited Login flow

  • Issue: Unity Cloud Save is broken for Facebook Login on iOS.
  • Cause:
    • On iOS, if a user chooses to deny App Tracking (prompted once per install), Facebook switches to Limited Login.
    • Limited Login does not provide an Access Token.
  • Impact:
    • Unity Cloud Save SDK relies on the existence of an Access Token.
    • Without an Access Token, Unity Cloud Save doesn’t work.
  • Additional Context:
    • Facebook is the most common login method for mobile games.
    • This makes the product effectively non-functional on iOS.

For more details on Limited Login, see Facebook’s documentation:

Has anyone discovered a workaround for this issue?

Hi there!

To clarify, Unity Cloud Save doesn’t store or use it’s own dedicated Access Token, like other Player Services (Leaderboards, Lobby, Cloud Code functions, Economy, Friends, etc) it uses the Access Token obtained by the Unity Authentication SDK.

The Unity Authentication SDK is designed for use with the classic Facebook Login flow, which is supported on all platforms.

Facebook Limited Login is a alternative login mode that developers can optionally support that is exclusive to iOS and provides additional safeguards for users in a way that is designed to be compatible with Apple’s App Tracking Transparency (ATT) privacy protection framework, essentially a fallback when a user declines to share their data for tracking purposes.

Apple require that functionality should not be gated behind a user accepting an ATT prompt. To use Unity Player Services with a Facebook account on iOS, you can implement classic Facebook Login and explain to the end user how you are using their data and/or use another authentication method (Anonymous, Apple Sign In, etc) and make linking an account with Facebook an optional step.

Explicit support and further guidance on how to use Facebook Limited Login flow with Unity Authentication is under evaluation.

If you have a specific issue with not getting any sort of Access Token back from the Facebook SDK for Unity when using Facebook Limited Login that may be an issue with the Facebook SDK, if you are using the latest release of the Facebook SDK for Unity you could try downgrading to v16.0.2 (and providing your own Privacy Manifest) or ask Facebook for guidance.

Issue: The problem isn’t just cloud save but the broader ability to sign in with Facebook using Unity’s Auth SDK on iOS.
ATT Denial: When users deny ATT, the Facebook SDK switches to limited login, which doesn’t provide an access token. This breaks Unity’s SignInWithFacebook API, which depends on the token.
Classic Login: Even using the Classic Facebook login doesn’t help because it also defaults to limited login and doesn’t return the access token.
Outcome: As a result, Unity Cloud Save is broken on iOS when ATT is denied, affecting cross-platform cloud save functionality.
Next Steps: Please check with engineers for a workaround. If none exists, acknowledge that Facebook authentication on iOS is currently broken in this scenario.

As a result, Unity Cloud Save is broken on iOS when ATT is denied, affecting cross-platform cloud save functionality.

This is not the case, you can still use Unity Cloud Save even if a user denies an App Tracking Transparency prompt. Permission to track a user using their Facebook account is not required to use Unity Cloud Save, but is required by Apple to link an app with classic Facebook Login.

This is the intended behaviour by Apple, and they intend that if a user declines permission they require that an app must fall back to using a different mechanism.

e.g. For Unity Player Authentication could be Anonymous sign in, Apple sign in, Username & Password (etc) and you could prompt with LinkWithFacebookAsync() to link a Unity Player Account with a Facebook account.

You can only link a Facebook account with a Unity Player Account using classic Facebook Login, which requires an end user to grant permission to obtain an Access Token which you can then use to link accounts.

Facebook Limited Login does not return an Access Token, it instead returns what they call an Authentication Token, which cannot be used to link with Unity Player Accounts or to make API calls to Facebook.

To simplify: On iOS, if a user denies ATT, can they still use Facebook authentication to access cloud save or not?

This is a very common situation, where a player might sign into Facebook on their Android phone, then switch to their iPad and expect to continue with the same Facebook login and cloud save. Is this scenario supported?

I say no.

This is a very common situation, where a player might sign into Facebook on their Android phone, then switch to their iPad and expect to continue with the same Facebook login and cloud save. Is this scenario supported?

Yes, this scenario is supported.

The user would need to grant you permission to use their Facebook account to do that though.

If an end user signs in with a Facebook Login on an Android device, but then decides not to grant access on an iOS device they will not be able to load their cloud save on the iOS device, unless the app has support for another sign in method (i.e. other than Facebook Login).

That’s exactly what I’ve been trying to explain. Even if the user logs into Facebook on both devices, if they deny ATT (which is unrelated to Facebook), the FB SDK will switch to the limited login flow. This means it won’t provide the access token that the Unity Auth SDK requires, breaking cloud save on iOS.

I’ve tried to be as clear as possible, but there still seems to be some confusion. If it helps, we can jump on a call, and I can walk you through it.

In short, this scenario isn’t supported if the user denies ATT on iOS, even if they’re logged into Facebook on both devices.

Hi there,

In short, this scenario isn’t supported if the user denies ATT on iOS, even if they’re logged into Facebook on both devices.

Yes, agreed, a user must approve the ATT prompt to allow use of their data for tracking if they want to use features that require classic Facebook Login on iOS, this includes using a Facebook account for Account Linking.

If a user opts to login with Facebook on iOS but does not approve the ATT prompt they will not be able to use their Facebook account for Account Linking on the device until they do, as the fallback to Facebook Limited Login flow is device scoped and does not provided an Access Token.

This is a consequence of the intentional design choices of Apple’s framework and Facebook’s service and is not a defect in the Unity Authentication package.

It may help to think of Facebook Limited Login as approach that is intended to be fallback option that is “better than nothing”, as without Limited Login end users who have declined the ATT prompt would not be able to use a Facebook account with an app at all, but with Limited Login developers can still get read-only access to a limited set of account data which they can use to personalise the user experience and populate their app with information about the user (e.g. name, birthday, email, etc).

I think I’ve clarified everything I can in this thread, with mitigations available to developers outlined above.

Please do reach out to teams and Facebook and Apple if you would like confirmation from them that this is expected behaviour when using iOS with Facebook Login.

Regards,

Iain Collins,
Engineering Lead
Authentication, Cloud Save, Leaderboards

Iain, you’re using Facebook login to retrieve the Facebook user ID, which is a unique identifier for read-only purposes. I’m not sure how ATT is relevant here. It seems like the Unity REST API is relying on an outdated integration with the Facebook SDK, and with the recent changes, the Unity SDK is now breaking.

Again, ATT isn’t involved because users explicitly consent to signing in via Facebook to save their progress. I have no idea why cloud save would require users to consent to APP TRACKING.

Firebase has already implemented a workaround for this in their authentication services. I’m not sure why you’re defiant in acknowledging that Unity should handle this scenario as well.

But oh well, we’ll find a way to solve this using our own backend.

Best, Arik.

To confirm, I’ll let everyone know if this changes.

You mentioned that Firebase has already implemented a workaround for this. I’m using firebase and searching for that work around. Do you have a link to documentation?

Hi, I saw this

But didn’t get too much into it.
Hope it helps.

Best, Arik.