Facebook App Warning – March Security Update & changes to Valid OAuth redirect URIs field

by Edward on

You’ve probably seen this error message recently on one or more of your Facebook Apps, but what is it and how do you fix it?

In March, we’re making a security update to your app settings that will invalidate calls from URIs not listed in the Valid OAuth redirect URIs field below.This update comes in response to malicious activity we saw on our platform, and we want to protect your app or website by requiring a new strict mode for redirect URIs. Learn More

What does it mean?

Recently Facebook have been putting a serious focus on security and this is part of that. In the past, if you created a Facebook app for connecting to Facebook, as long as you had the OAuth Token and OAuth Secret installed correctly you could login and connect your site. Unfortunately this is a perfect solutions and people tend to share their App details meaning malicious sites could connect to your app themselves and hijack your page.

In an effort to combat this, last year they changed it so that you had to Whitelist all the domains that were allowed to use that App for connecting to Facebook.

Now, they’re going one step further and not only do you now have to Whitelist the domain you’re making the redirect to, but the exact URL on that site that you’ll be using.

How to fix it

1. Go to the Facebook App you’re having an issue with.
2. In the lefthand menu go to Facebook Login -> Settings.
3. Make sure Use Strict Mode for Redirect URIs is enabled.
4. Add your exact redirect Url to the Valid OAuth redirect URIs. If you’re using WP Native Articles, when you try to connect to Facebook it will throw an error and show you the exact URL to add (v1.4.0 and higher it looks like http://your-site.com/wp-admin/admin.php?page=wpna_facebook&tab=api&wpna-action=facebook_login).

n.b. The URLs need to match exactly, so if your site uses an SSL certificate please ensure you change it to https.

Your App should look similar to this if it’s correctly configured.

5. Hit Save Changes and the notice should then disappear. Make sure you’ve added the URL correctly though otherwise you’ll get an error when trying to Authorise your App.

You can read more about enabling Facebook OAuth Strict Mode for WP Native Articles here.