
In 90 Days, Facebook Login Will Require Strict URI Matching - methodover
https://developers.facebook.com/blog/post/2017/12/18/strict-uri-matching/
======
methodover
> All redirect URI's used by an app need to be listed in the Valid OAuth
> redirect URIs list in the app's Login Settings in order to be used in our
> OAuth flow. However, there have been two exceptions to this rule. The first
> exception is that apps with an empty list of Valid OAuth redirect URIs were
> grandfathered into being allowed to receive tokens on any endpoint on their
> domain. The second exception is that redirect URIs are allowed to "prefix
> match", meaning any URI that is prefixed by a URI on the list of Valid Oauth
> URIs would be valid.

For us, the base URI for the FB Oauth redirect flow is always the same, but
the querystring params include some special information (namely, a key value
pair that tells us where to redirect the user after the successful FB login).

Now I guess we'll have to change our approach.

Not sure why querystring params aren't OK.

