Skip to main content

Before You Start

Complete these prerequisites before following this quickstart:
  1. Set up Facebook Login SDK - Install and configure the Facebook Login SDK for Android. Create a Facebook app at developers.facebook.com. When done, your app should have Facebook Login working.
  2. Configure Auth0 for Facebook Native - Configure your Auth0 application to use Facebook Native Sign In. See Add Facebook Login to Native Apps.

Get Started

1

Configure Facebook Login permissions

Update the Facebook Login Button in your Activity to request the correct permissions.Your app already supports Facebook Login, but to get a rich user profile you need to request public_profile and email permissions. You’ll also add a callback to kick off the Auth0 authentication flow.
MainActivity.kt
private lateinit var fbCallbackManager: CallbackManager

override fun onCreate(savedInstanceState: Bundle?) {
    super.onCreate(savedInstanceState)
    setContentView(R.layout.activity_login)

    fbCallbackManager = CallbackManager.Factory.create()
    val loginButton = findViewById<LoginButton>(R.id.login_button)

    // Request email and public_profile permissions
    loginButton.setPermissions("email", "public_profile")

    loginButton.registerCallback(fbCallbackManager,
        object : FacebookCallback<LoginResult> {
            override fun onSuccess(result: LoginResult) {
                val accessToken = result.accessToken
                performLogin(accessToken)
            }
            override fun onCancel() {
                // User closed the dialog. Safe to ignore
            }
            override fun onError(error: FacebookException) {
                // Handle Facebook authentication error
            }
        })
}

private fun performLogin(accessToken: AccessToken) {
    // Steps 2–4 will fill this in
}
The email permission is optional — the user must consent to sharing it. The email returned from Facebook will be flagged as non-verified on the Auth0 user profile.
2

Install and configure the Auth0 SDK

Add the Auth0 Android SDK to your project and configure your application credentials.Add the dependency to app/build.gradle.kts:
app/build.gradle.kts
dependencies {
    implementation("com.auth0.android:auth0:3.+")
}
Sync Gradle after adding the dependency.Add your Auth0 credentials to strings.xml:Go to the Applications section of the Auth0 Dashboard and select the application where you enabled Facebook Native Sign In. Copy the Domain and Client ID values.
app/src/main/res/values/strings.xml
<resources>
    <string name="com_auth0_domain">{yourDomain}</string>
    <string name="com_auth0_client_id">{yourClientId}</string>
</resources>
Initialize the Auth0 SDK in your Activity:
MainActivity.kt
private val account: Auth0 by lazy {
    Auth0.getInstance(
        getString(R.string.com_auth0_client_id),
        getString(R.string.com_auth0_domain)
    )
}

private val authenticationApiClient: AuthenticationAPIClient by lazy {
    AuthenticationAPIClient(account)
}
If your app does not use Auth0 Web Authentication, remove the unused activity from AndroidManifest.xml to avoid Manifest Placeholder errors:
app/src/main/AndroidManifest.xml
<application>
    <activity
        android:name="com.auth0.android.provider.AuthenticationActivity"
        tools:node="remove" />
</application>
If you do plan to support Web Authentication, see Authentication via Universal Login.
3

Fetch Facebook session access token

After Facebook Login succeeds, fetch a session access token from the Facebook API. Auth0 requires this token to verify the user’s identity on the backend.Make a GET request to Facebook’s /oauth/access_token endpoint using the GraphRequest class:
MainActivity.kt
private interface SimpleCallback<T> {
    fun onResult(result: T)
    fun onError(cause: Throwable)
}

private fun fetchSessionToken(accessToken: AccessToken, callback: SimpleCallback<String>) {
    val request = GraphRequest()
    request.graphPath = "oauth/access_token"
    val bundle = Bundle()
    bundle.putString("grant_type", "fb_attenuate_token")
    bundle.putString("client_id", getString(R.string.facebook_app_id))
    bundle.putString("fb_exchange_token", accessToken.token)
    request.parameters = bundle
    request.callback = GraphRequest.Callback { response ->
        if (response.error != null) {
            response.error?.exception?.let { callback.onError(it) }
        } else {
            response.jsonObject?.let { callback.onResult(it.getString("access_token")) }
        }
    }
    request.executeAsync()
}
The required query parameters are:
  • grant_type: fb_attenuate_token
  • fb_exchange_token: the access token from Facebook Login
  • client_id: your Facebook App ID (already in your app from the Facebook SDK setup)
4

Fetch Facebook user profile

Fetch the user’s profile from Facebook. Auth0 uses this data to create or update the user’s Auth0 profile.
MainActivity.kt
private fun fetchUserProfile(
    accessToken: AccessToken,
    callback: SimpleCallback<String>
) {
    val request = GraphRequest.newMeRequest(accessToken) { _, response ->
        val error = response?.error
        if (error != null) {
            error.exception?.let { callback.onError(it) }
        } else {
            callback.onResult(response?.rawResponse.toString())
        }
    }
    val bundle = Bundle()
    bundle.putString("fields", "first_name,last_name,email")
    request.parameters = bundle
    request.executeAsync()
}
The fields parameter maps directly to the Facebook permissions you requested. Requesting first_name, last_name, and email is sufficient for Auth0 to create a complete user profile.
5

Exchange tokens for Auth0 credentials

Use the session token and user profile from the previous steps to authenticate with Auth0 and receive Auth0 tokens.Call loginWithNativeSocialToken on the AuthenticationAPIClient, passing the session token with the Facebook subject token type:
MainActivity.kt
private fun exchangeTokens(
    sessionToken: String,
    userProfile: String,
    callback: SimpleCallback<Credentials>
) {
    authenticationApiClient
        .loginWithNativeSocialToken(
            sessionToken,
            "http://auth0.com/oauth/token-type/facebook-info-session-access-token"
        )
        .setScope("openid profile email offline_access")
        .addParameter(name = "user_profile", value = userProfile)
        .start(object : Callback<Credentials, AuthenticationException> {
            override fun onSuccess(result: Credentials) {
                callback.onResult(result)
            }
            override fun onFailure(error: AuthenticationException) {
                callback.onError(error)
            }
        })
}
The subject token type http://auth0.com/oauth/token-type/facebook-info-session-access-token tells Auth0 to use the Facebook native connection for authentication.
6

Put it all together

Complete the performLogin method to chain all three steps: fetch session token → fetch user profile → exchange for Auth0 tokens.
MainActivity.kt
private fun performLogin(accessToken: AccessToken) {
    fetchSessionToken(accessToken, object : SimpleCallback<String> {
        override fun onResult(sessionToken: String) {
            fetchUserProfile(accessToken, object : SimpleCallback<String> {
                override fun onResult(userProfile: String) {
                    exchangeTokens(sessionToken, userProfile, object : SimpleCallback<Credentials> {
                        override fun onResult(result: Credentials) {
                            // Authenticated! Use result.accessToken or result.idToken
                        }
                        override fun onError(cause: Throwable) {
                            // Handle token exchange error
                        }
                    })
                }
                override fun onError(cause: Throwable) {
                    // Handle profile request error
                }
            })
        }
        override fun onError(cause: Throwable) {
            // Handle session token request error
        }
    })
}
Keep constants (subject token type, Facebook permissions, Auth0 scopes) at the top of your class to avoid magic strings scattered throughout the code.
CheckpointYou should now be able to authenticate natively with Facebook. If the Facebook app is installed on the device, authentication is handled through the app directly — no browser required.

Troubleshooting & Advanced

Token exchange fails with authentication error

Solutions:
  1. Verify your Auth0 application has Facebook Native Sign In enabled in the Dashboard
  2. Check that the Facebook App ID in your strings.xml matches the one in the Facebook Developer Console
  3. Confirm the subject token type string matches exactly: http://auth0.com/oauth/token-type/facebook-info-session-access-token
  4. Ensure the Facebook access token hasn’t expired before calling performLogin

Session token request returns an error

Fix:
  • Verify R.string.facebook_app_id is correctly set in your strings.xml
  • Ensure the fb_exchange_token is the raw token string from the Facebook AccessToken object
  • Check that your Facebook app is not in Development Mode if testing with non-admin users

AuthenticationException: “Connection not found”

Fix:
  1. Go to Auth0 Dashboard → AuthenticationSocial
  2. Verify Sign in with Facebook is enabled
  3. Confirm Facebook Native Social Login is turned on in the connection settings
  4. Check the Auth0 application is associated with the Facebook connection

User profile fields are missing

  • Confirm public_profile and email are listed in the setPermissions call
  • The user may have declined the email permission — handle null email gracefully
  • Verify the same fields are in the fields bundle in fetchUserProfile

Security Best Practices

  • Disable logging in production: Remove or gate enableLogging = true on the DefaultClient — it logs network traffic
  • Secure token storage: Use SecureCredentialsManager to store Auth0 tokens in the Android Keystore
  • Refresh tokens: Request offline_access scope and implement token refresh to maintain sessions

Facebook App Configuration

  • Switch your Facebook app from Development Mode to Live before releasing
  • Add your app’s SHA-1 key fingerprint to the Facebook Developer Console
  • Review Facebook’s Data Policy requirements for apps using the Login SDK

Google Play Store

  • Follow Google Play’s policies for apps that use third-party authentication
  • Include Facebook Login in your app’s privacy policy

Next Steps

Configure other identity providers

Add Google, Apple, and other social login providers

Attack Protection

Protect against brute force and bot attacks

Actions

Customize authentication flows with serverless code

Android SDK Reference

Explore the full Auth0 Android SDK documentation