UPDATE – March 2018
Facebook has been aggressively tightening security. Any new Facebook Login Apps create AFTER the beginning of March 2018 now have Use Strict Mode for Redirect URIs and Enforce HTTPS enabled by default and can no longer be disabled.
So what does this mean?
Two things. Firstly, you can no longer use Facebook Login if your site isn’t HTTPS. It’s annoying for sure, but most hosting providers now provide free SSL certificates through Let’s Encrypt. Usually it’s just a case of enabling it. If your hosting provider doesn’t then I’d strongly recommend switching hosts. HTTPS is encrypted and therefore more secure. It also now affects your Google Ranking and soon Google will be putting ‘Insecure’ warnings next to sites without in their search results. There’s pretty much no good reason not to have HTTPS these days.
Secondly, it means that you now have to put the exact return URL into the Valid OAuth Redirect URIs input. Previously, with strict mode disabled, you could just put your domain name in and that would be enough. Now it has to be the exact URL that your return to once you’re authorised Facebook. This will be different depending on the App you’re using to connect to Facebook. If you’re using WP Native Articles it’s:
Read more about Enabling Use Strict Mode for Redirect URIs with WP Native Articles.
If you’re unsure what your callback URL should be, get in touch with the makers of the App you’re using or check the documentation.
For Facebook Apps created BEFORE March 2018
Over the last 24 hours loads of developers have been having issues creating new Apps with Facebook.
It was confirmed on Facebook’s bug platform that they had made some changes to the the default settings for new Apps and now Strict Mode is automatically enabled for the oAuth settings. Strict mode means that when using Facebook login to connect your application or website to the App, the oAuth redirect URL has to be explicitly set, where as before it didn’t.
This is obviously part of a drive on their part to increase security, which is obviously good, but it was a bit of a surprise and makes setting up applications more complicated. They are working on improving the error message.
How to fix
1. Go to http://developers.facebook.com/apps/ and select the app you wish to fix.
2. At the bottom of the left hand menu click + Add Product link.
3. Select Facebook Login as the Product.
4. Select Web.
5. Enter your Site URL and hit save.
6. Hit Continue then keep clicking Next, ignoring all the code, until you get to Step 5
7. In the left hand menu you should now see Facebook Login, click the Settings menu item underneath it.
8. Under Client oAuth settings, where it says Use Strict Mode for Redirect URIsmake sure it’s set to No and that your site URL is in the Valid OAuth redirect URIsbox. Then the hit save.
9. You should now be able to connect your app as normal.