Back to News for Developers

Strict URI Matching

December 18, 2017ByPhillip Hodgson

In an effort to increase security for apps using Facebook Login, we're making some important changes to the handling of URI redirects.

These changes only affect apps using a custom OAuth flow; for apps using the JavaScript, iOS or Android SDKs, no action is required.

All redirect URI's used by an app need to be listed in the Valid OAuth redirect URIs list in the app's Login Settings in order to be used in our OAuth flow. However, there have been two exceptions to this rule. The first exception is that apps with an empty list of Valid OAuth redirect URIs were grandfathered into being allowed to receive tokens on any endpoint on their domain. The second exception is that redirect URIs are allowed to "prefix match", meaning any URI that is prefixed by a URI on the list of Valid Oauth URIs would be valid.

In response to malicious activity we were seeing on our platform, we recently create a new security option called "Strict Mode" which, when enabled, removes these two exceptions.

In March, we'll be turning on Strict Mode for everyone by default. If you need to update your Valid OAuth redirect URIs list, you'll see a notice in your account interface informing you of this change today. You can also use our Redirect URI Validator on the Facebook Login settings page to see if you have any links impacted by this change.

If you need to update your redirect URIs, follow our developer documentation on how to enable Strict Mode. Several options are provided for making this as easy as possible.

Be sure to update your URIs so that your custom login flow will continue to work after the migration in March.