Connect Apps to Facebook

The Facebook social connection allows users to log in to your application using their Facebook profile.

By default, Auth0 automatically syncs user profile data with each user login, thereby ensuring that changes made in the connection source are automatically updated in Auth0. Optionally, you can disable user profile data synchronization to allow for updating profile attributes from your application.

Before you begin, sign up for a Facebook Developer account.

To connect your app to Facebook, you will:

Set up app in Facebook
Create and enable connection in Auth0
Test connection

Create an app in the Facebook Developer portal, and add Facebook Login to the app as a Product. During this process, Facebook will generate a App ID and App Secret for your application; make note of these.

While setting up your app, use the following settings:

Field	Value to Provide
How are you using your app?	Select For everything else.
Permissions and Features	Select the permissions your app will require. Only the `default` and `email` permissions do not require app review by Facebook.

While setting up the Facebook Login product, use the following settings:

Field	Value to Provide
Client OAuth Settings	Enable Web OAuth Login (web applications) or Client OAuth Login (native applications), depending on your app type.
Valid OAuth Redirect URIs	`https://YOUR_DOMAIN/login/callback`
Deauthorize Callback URL	Enter the URL you would like Facebook to call when a user does not consent to your app.

Find your Auth0 domain name

If your Auth0 domain name is not shown above and you are not using our custom domains feature, your domain name is your tenant name, your regional subdomain (unless your tenant is in the US region and was created before June 2020), plus.auth0.com. For example, if your tenant name were exampleco-enterprises, your Auth0 domain name would be exampleco-enterprises.us.auth0.com and your redirect URI would be https://exampleco-enterprises.us.auth0.com/login/callback. (If your tenant is in the US and was created before June 2020, then your domain name would be https://exampleco-enterprises.auth0.com.)

If you are using custom domains, your redirect URI will have the following format: https://<YOUR CUSTOM DOMAIN>/login/callback.

Set up the Facebook social connection in Auth0. Make sure you have the generated App ID and the App Secret.

Facebook allows you to create a copy of your application to use for testing purposes. A test application has its own unique App ID and App Secret. Because Auth0 only allows one Facebook connection to be configured per tenant, you have two options while testing in Auth0:

Use the testing application's App ID and App Secret in Auth0's social connection, and then change these values when you are ready to connect to the production application.
Create another Auth0 tenant to use for testing purposes and set up a test environment.

You're ready to test your connection. After logging in, you'll be prompted to allow your app access. To do so, click Install unlisted app.

Once a user successfully authenticates, Facebook will include an Access Token in the user profile it returns to Auth0. You can use this token to call Facebook's API.

To get the Facebook Access Token, you must retrieve the full user's profile using the Auth0 Management API and extract the Access Token from the response. For detailed steps, see Call an Identity Provider's API.

Using the token, you can call Facebook's API following Facebook's documentation.

Optional: Get a Refresh Token from Facebook to refresh your Access Token once it expires. To ensure your application is secure, pay close attention to the restrictions on using Refresh Tokens.

Facebook lets you select the minimum version of the Facebook API that is available to the application. This can be changed in the in the 'Settings/Advanced' section of your application in the Facebook developer portal.

Auth0 has been tested with version 3.2. We recommend setting that as the minimum version, but it could work with newer versions.

Once users authenticate, they will be prompted to accept the permissions your app has requested. Once they authenticate and accept, they will not be expected to re-authenticate unless you force them to. To learn how to force re-authentication, see Facebook's Re-Authentication documentation.

Docs