Facebook - OAuth

Facebook for Developers
Graph API Explorer
request URL
authorize URL (aka authorization URL)
redirect URI (aka callback URL)

  1. https://paw.cloud/docs/examples/facebook-api

whitelist redirect URI

  1. https://help.sharetribe.com/managing-your-marketplace/social-media/how-to-solve-the-url-blocked-this-redirect-failed-because-facebook-login-error
  2. https://stackoverflow.com/questions/2459728/how-to-test-facebook-connect-locally

it’s necessary to whitelist redirect URI - all other redirect URIs will be blocked by Facebook:

URL Blocked: This redirect failed because the redirect URI is not whitelisted in the app’s Client OAuth Settings. Make sure Client and Web OAuth Login are on and add all your app domains as Valid OAuth Redirect URIs.

add local domain to /etc/hosts

  # /etc/hosts

+ sith.local

or else it’s possible to whitelist localhost as a valid redirect URI in FD without using any custom local domains.


Facebook does not “connect” back to your server. Their JS does. And the JS runs in the context of your browser. Which knows where “localhost” points to.

whitelist local domain in FD


Any new Facebook Login Apps create AFTER the beginning of March 2018 now have Use Strict Mode for Redirect URIs and Enforce HTTPS enabled by default and can no longer be disabled.

…it means that you now have to put the exact return URL into the Valid OAuth Redirect URIs input. Previously, with strict mode disabled, you could just put your domain name in and that would be enough.

=> you must use exact redirect URI - you can’t just enter domain name as a valid redirect URI (say, http://sith.local) or else you’ll get this error:

Can’t Load URL: The domain of this URL isn’t included in the app’s domains. To be able to load this URL, add all domains and subdomains of your app to the App Domains field in your app settings.

PRODUCTS (section in left menu) → Facebook LoginSettings
Client OAuth Settings (section)

request user for permissions

  1. https://developers.facebook.com/docs/marketing-api/access#manually-getting-access-tokens

NOTE: scopes = permissions.

how OAuth library works

both OmniAuth and Ueberauth work alike under the hood:

server-side authentication flow in Facebook

  1. https://developers.gigya.com/display/GD/Facebook+Login+Permissions#FacebookLoginPermissions-AvailablePermissions

there are 2 possible outcomes when user is prompted by Facebook to give permissions - either app or business integration can be added to user’s Facebook account:

corresponding permissions might be revoked by removing either app or business integration from user’s Facebook account.

any successful response from Facebook contains, inter alia, persistent access token (JWT token) but its scopes may be different based on user action (scopes is a JWT token field). if access token with requested scopes has been created before, Facebook won’t prompt user next time request is made but will return a new token with the same scopes - this will invalidate previous tokens most likely.