Facebook doesn't lookup "cancel_url" in the list of "Valid OAuth redirect URIs"

Question

Initial setup:

My app uses facebook oauth system and has 3 different environments: production, testing and development. I've already listed all 3 valid redirect urls in facebook app's advanced settings (like people do here and here):

Valid OAuth redirect URIs:
  http://myapp-pro.herokuapp.com,
  http://myapp-tst.herokuapp.com,
  http://myapp-dev.herokuapp.com

Additionally, on basic settings the app has:

App domains: myapp-pro.herokuapp.com
Site URL: http://myapp-pro.herokuapp.com

---

What happens so far:

1. When using production environment, everything's ok.

2. When on testing or development (both are not located in App domains or Site URL):

   a. When the user logs in to my site and he's already logged in to facebook, everything goes fine.

   b. When the user logs in to my site, but he isn't already logged in to facebook, facebook complains that:

   Given URL is not allowed by the Application configuration
   One or more of the given URLs is not allowed by the App's settings. It must match the Website URL or Canvas URL, or the domain must be a subdomain of one of the App's domains.
   

---

More details about the latter case:

1. Current URL in browser at that moment is (not exactly, I've decoded next and cancel_url parts for clarity):

   https://www.facebook.com/login.php?
     skip_api_login=1&
     api_key=...&
     signed_next=1&
     next=https://www.facebook.com/v2.0/dialog/oauth?
       redirect_uri=http://myapp-dev.herokuapp.com?
       scope=public_profile&
       email&
       user_birthday&
     response_type=code&
     client_id=...&
     ret=login&
     cancel_url=http://myapp-dev.herokuapp.com?
       error=access_denied&
       error_code=200&
       error_description=Permissions+error&
       error_reason=user_denied#_=_&
     display=page
   

2. As you may have noticed the redirect_uri and cancel_url domains are totally equal and this value (http://myapp-dev.herokuapp.com) exists in the list of Valid OAuth redirect URIs.

3. If I manually change here cancel_url to production domain, facebook's error will disappear.

4. If I manually remove cancel_url parameter completely, the error will vanish also.

5. If I just ignore the message, enter my credentials and press login button, I will be redirected to https://www.facebook.com/login.php?login_attempt=1 and nothing else happens.

---

Thoughts:

1. It seems like facebook simply doesn't check cancel_url to exist in the list of Valid OAuth redirect URIs.

2. Already mentioned manual hacks are obviously not acceptable for a regular user, so I call for another ideas.

3. Using different facebook apps corresponding to different environments is also not a good idea ideologically, imho.

---

Workarounds:

1. As @CBRoe mentioned in comments: tried to use an own top level domain instead of herokuapp.com (used it as App domains and Site URL value) and it worked. This does not solve the initial question, but is a good workaround.

Answer 1

It appears that facebook app domains can be on a subdomain - facebook doesn't check it exists, it just looks for the top level domain, this allows us to setup a fake sub domain. And allow us to host our local dev environment on the fake sub domain.

This won't work if you or your client doesn't have a live top level domain though.

Edit your hosts file /etc/hosts on mac and /windows/system32/drivers/etc/hosts on windows

192.168.10.10 dev.theclientsdomain.com

Then put dev.theclientsdomain.com into the app domain.

hope that helps.