Facebook JavaScript SDK – OAuth Redirect URI Validation Issue when Exchanging Authorization Code

by

I’m currently setting up Facebook Login. I’m using the code response type and successfully getting back an authorization code.
Attempting to exchange the auth code with an access token on the backend fails with this message:

Error validating verification code. Please make sure your redirect_uri
is identical to the one you used in the OAuth dialog request.

Code: 100,
SubCode: 36008

I’m using the Facebook JS SDK on the frontend, and while I correctly set the Valid OAuth Redirect URIs, I’m not specifying any redirect_uri when invoking the Facebook login dialog (with FB.login(..)), and no redirection is involved as the Facebook login dialog posts the auth code back to my app using postMessage. Even when I specify a redirect_uri when invoking the Login dialog, it gets ignored.

On the backend, when exchanging the code for an access token (with oauth/access_token), I tried all the allowed redirect URIs configured on the app, but nothing works and I get the same error.

Any idea how to solve this? Thank you.

  • 1

    When I test this, the login dialog URL contains a redirect_uri value of https://staticxx.facebook.com/x/connect/xd_arbiter/?version=46#... with some URL fragment at the end. The fragment should be negligible, but the rest is what you’d need to pass in your exchange code for token call. Which makes this kinda problematic, because I’m guessing the ?version=46 is going to change at some point …

    – 

  • I already tried using the redirect_uri from the login dialog, but any URL not included in my app’s domains gets rejected: Can't load URL: The domain of this URL isn't included in the app's domains

    – 




  • 1

    I thought it might be white-listed per se (the have a similar URL for desktop apps), but if that is not the case … then I don’t know how exactly this is currently supposed to work either. Or if it is supposed to work, because the response_type parameter isn’t even documented (any more?) for login with the JS SDK, as far as I can tell. I would either get the token directly on the client side, if you want to continue using the JS SDK for login; or implement the server-side login flow instead.

    – 

  • I’m actually using Facebook Login for Business, and I think at some point, the implicit flow (where you can get the token directly on the client) will not work for that product, and you’ll have to use the authorization code flow. The only solution I can think of right now is to manually trigger the Login dialog: Manually Build a Login Flow

    – 

Leave a Comment