Skip to main content
GDPR Kit CIAM Buyer's Guide Contact Us
Janrain respects your privacy and will treat the personal data you choose to share with us in accordance with our privacy statement.

We use cookies to give you the best online experience. By using our website you agree to our use of cookies in accordance with our privacy statement


Mobile Menu

Social Login: Facebook App Requires Strict URI Matching

By Eric Schreiner | Posted on February 15, 2018

If you have enabled Facebook social login, you need to be aware of changes to Facebook’s security model that will take place in March 2018. If your Facebook app does not meet the new security requirements, users will no longer be able to log on to your site by using their Facebook accounts.

What are Facebook's new security requirements?

There are two new requirements you need to be concerned about:

  • Strict URI matching” will now be required for all redirect URIs. Facebook has always recommended that the redirect URIs used by a Facebook app appear in the app’s Valid OAuth redirect URIs list. However, up until now Facebook has allowed apps without a valid OAuth list to accept tokens from any endpoint in their domain.
  • Prefix matching” will no longer be allowed. With prefix matching, any URI prefixed by a URI that is shown on the Valid OAuth redirect URIs list was acceptable. For example, if was on the Valid OAuth redirect URIs list, Facebook would also accept redirects to URIs like or

Beginning in March 2018, all OAuth apps will need to have a Valid OAuth redirect URIs list, and redirects will only be accepted for URIs that are explicitly included on that list. For example, if is the only URI on the list then redirects to or will no longer be allowed. If your app references a URI that is not on the approved list, login will fail:

Facebook login blocked



How to verify compliance with Facebook's new security requirements

To verify whether or not your Facebook app is compliant with the new security requirements, complete the following procedure:

1. Log on to the Facebook for Developers center

2. From the Facebook for Developers home page, click My Apps and then click the name of the app you use for social logins:

How to fix broken Facebook app API


3. From the Dashboard for your app, click Facebook Login:

Social login for Facebook broken fix


4. Verify that your Facebook redirect URI (or URIs) is listed in the Valid OAuth redirect URIs list and that Use Strict Mode for URIs is set to Yes:

Strict Facebook URI Oauth settings


If both of these criteria are true, then you should have nothing to worry about. However, if the Valid Oauth redirect URIs list is blank and if you see the following warning notices about OAuth redirect URIs, then you have more work to do.

OAuth warning notice Facebook


Updating your app to comply with Facebook's new security parameters

To update your app, and to bring it into compliance with strict URI matching, complete the following procedure:

1. Log in to the Facebook for Developers center, and proceed to My Apps / Facebook Login (steps 1-3 above).

2. In the Valid OAuth redirect URIs field, type the redirect URI for your website and then press ENTER:

Setting up a strict OAuth redirect URI

Your redirect URI will typically have the format For example, if your Engage app has the name my--test-app, your redirect URI would be If you have questions about your redirect URI, contact your Janrain representative - we're happy to help!

If you have more than one redirect URI, type each URI in the Valid Oauth redirect URIs field. You can enter additional URIs by clicking in the Valid Oauth redirect URIs field, typing a URI, and then pressing ENTER. URIs can be removed from the list by clicking the X at the end of the URI:

Delete Facebook redirect URI


3. After you have entered your redirect URIs, click Use Strict Mode for Redirect URIs.

4.Click Save Changes.


Checking your work

After making these changes, you can validate a redirect URI by completing the following procedure:

1. From the Client OAuth Settings page, type the redirect URI into the Redirect URI to Check field.

2. Click Check URI. If the redirect URI works, you’ll see a message similar to this:

Valid Facebook redirect URI


Note that this test does not verify that this is the correct redirect URI for your domain; it simply verifies that the URI appears in the list of OAuth redirect URIs. To verify that this is the correct redirect URI for your site, try logging on to the site by using a Facebook account.

For more information, see the Facebook for Developers article Enhanced Security for Facebook Login with Strict URI Matching.

Popular Posts

About the author

Eric Schreiner

Eric Schreiner brings over 18 years experience designing and implementing business solutions with the last 10 years focused on enterprise SaaS applications. His expertise blends system design and integration experience with his ability to align technology delivery to business processes, workflows and results. At Janrain, Eric leads our Product Management team, responsible for the cloud-native, multi-tenant Identity platform that forms Janrain’s core CIAM solution. Prior to Janrain, he worked with industry leaders in the aerospace, engineering and manufacturing industries to apply SaaS solutions to their hazardous chemical data and inventory management practices. Eric has B.A in Computer Science from the University of Oregon.

View all posts by Eric Schreiner