How to turn off "Use Strict Mode for Redirect URIs" in facebook app

Question

Is there any way to turn off the option Use Strict Mode for Redirect URIs in a Facebook app? It seems that as of March 2018 this property automatically is turned on and is greyed out so cannot be disabled. Facebook seems to disallow authentication unless the exact URL is mentioned in Valid OAuth Redirect URIs. This is a problem because the Sitecore Social Connected module seems to pass in a different state parameter in the query string each time you log in. I have tested using the Redirect URI Validator in the Facebook app and this confirms that the redirect must be exactly as per Valid OAuth Redirect URIs.

Answer 1

Is there any way to turn off the option Use Strict Mode for Redirect URIs in a Facebook app?

NO

Due to the security changes made to Facebook, it's no longer possible to turn off this setting.

---

Regarding specifics of Sitecore and the Social Connected module, I found from @CBroe's comments that the Valid OAuth Redirect URIs now needs to contain a query string parameter as follows:

http://example.com/layouts/Social/Connector/SocialLogin.ashx?type=access

previously I just had

http://example.com/layouts/Social/Connector/SocialLogin.ashx

If you are using HTTPS, you will need to enter the URI with the port number as well i.e.

https://example.com:443/layouts/Social/Connector/SocialLogin.ashx?type=access

This last point is not related to the recent Facebook app changes.

Answer 2

Same experience, I could not turn it off. What eventually worked for me was

I have a link on my site that starts the login process:

https://www.example.com/users/auth/facebook

Following this causes my rails app to redirect to

https://www.facebook.com/v2.6/dialog/oauth?client_id=1234&redirect_uri=https%3A%2F%2Fwww.example.com%2Fusers%2Fauth%2Ffacebook%2Fcallback&response_type=code&scope=email&state=123456

Facebook replies with

https://www.example.com/users/auth/facebook/callback?code=abcverylongcodexyz

Therefor the URI that needs to be whitelisted is simply "https://www.example.com/users/auth/facebook/callback", without the code part.

FWIW, when I moved my site from http to https I needed to update my config/initializers/devise.rb to include

config.omniauth :facebook, '1234', '34567', :scope => 'email', :callback_url => 'https://www.example.com/users/auth/facebook/callback'

as it was still using the http: protocol in the callback url, and you can't whitelist any URI in that protocol under the current guidelines.