Hey there! Let's get your Meteor app sorted for Facebook's upcoming security update. Here's exactly what you need to add to the Valid OAuth redirect URIs field in your Facebook App Settings:

Core Redirect URI Structure #

Meteor's accounts-facebook package uses a standardized endpoint for OAuth redirects. All your URIs will follow this format:

[your-app-base-url]/oauth/_redirect

Breakdown by Environment #

• Local Development: If you're running your app locally (default port 3000), add:
  http://localhost:3000/oauth/_redirect
  Note: If you use a custom port (e.g., 4000), replace 3000 with your port number.

• Production Environment: Add your live app's full base URL plus the redirect path. For example:
  https://your-production-domain.com/oauth/_redirect
  If you use a subdomain, it would look like https://app.your-domain.com/oauth/_redirect.

Critical Notes to Remember #

• Always include the full protocol (http:// or https://) — Facebook will reject URIs without this.
• If you use SSL for local development (via meteor --ssl), swap http:// for https:// in your local URI.
• Don't add extra parameters or modify the /oauth/_redirect path — this is the fixed endpoint Meteor uses to handle OAuth callbacks.

As Facebook mentioned in their announcement:

三月，我们将对应用设置进行安全更新，未列入Valid OAuth redirect URIs字段的URI发起的请求将被视为无效。此次更新旨在应对平台上的恶意活动，通过启用重定向URI严格模式来保护您的应用或网站。

Make sure to add all URIs for every environment you use (local, staging, production) — missing any will break Facebook login in that environment once the update goes live.

内容的提问来源于stack exchange，提问作者Jimmy Thigpen