A web application I'm currently developing needs users to be able to sign in via Facebook OAauth. However the problem is, all these users are behind a firewall that blocks access to facebook.com (company policy). We've looked into several solutions to get around this, like;

• Putting a (squid) proxy between Facebook and the users. This could solve the problem since squid supports fine grained regex-based ACLs. However, most of the Facebooks OAuth strategy runs on www.facebook.com and inspecting PATH_INFO to whitelist specific paths is not possible if the users use HTTPS (which is mandatory).
• Adding a proxy-like site in the DMZ of the firewall, which just passes and alters the urls/Facebook request. This obviously isn't the way to go either since it would basically mean users leave their credentials at our server, which is against Facebooks terms.
• Loosen up the firewall a bit to just enabling IP addresses needed for OAuth authentication, but as far as we could find out there isn't a dedicated IP or subdomain just for authentication (it would be nice if graph.facebook.com would provide something like this).

Any ideas for alternate solutions? Is this even possible at all?

No, because the OAuth Login process for the API works by sending the user to a HTTPS URL on facebook.com you won't be able to easily distinguish between the traffic needed to setup the login to your app and other traffic to Facebook.com

You'll have the same problem trying to verify a Facebook user by use of a social plugin like the Like Button - you can't easily separate the traffic for the plugin and other traffic to facebook.com