I realize this is 6 weeks late, but I figured I'll post this here since I found a fix that worked for us. Had the same issue and after trying to encode the return url (which did not work), I realized that we were building our URL like:

$url = "http://example.com/";
$redirect_script = "/cgi-bin/redirect.cgi";

$redirect_url = $url . $redirect_script;

However this resulted in a return URL that looked like http://example.com//cgi-bin/redirect.cgi -- note the "//" after example.com. When I removed the double-slashes from this URL, it worked again. OP, I see that your redirect URL has the same thing in /facebook/callback//empty?etc which I believe is what's messing it up.

Mo Hrad A is right, I didn't even manage to use $ character.

I wrote 2 simple functions that allows me to use complex return urls with parameters:

public static string EncodeFacebookReturnUrl(string url)
{
    return Regex.Replace(HttpUtility.UrlEncode(url), "%", "_-_");
}

public static string DecodeFacebookReturnUrl(string url)
{
    return HttpUtility.UrlDecode(Regex.Replace(url, "_-_", "%"));
}

Translating with UrlEncode results in only 1 "illegal" character (%), which I'm replacing with the legal string _-_. Makes it simple to decode too.

It's important to note that if you use https:// however in your login URL you are using http://, then it will throw a OAuthException about a url issue.

So you must use https:// in your login URL if you are using it.

This solved my problem.

in my case it caused by special characters in my query string, i had base64 code that contain / and =, i tried some characters like ! @ = / ; all throw same error

only two character that look like is valid is - _ # $

P.S / at the end of the query didn't help. also it was forbidden in the middle of the query string

Niranjan, we saw the same error message, precisely. Like you, it started happening this month, without any changes to our code.

We verified carefully that the redirect_uri was indeed exactly the same in both calls - first the authorize call, and second the access_token call.

We filed with Facebook, but they triaged it as "Low": https://developers.facebook.com/bugs/307245456075215?browse=search_51964e3320a5b5556208759

In our case, we were doing something unusual (so this might not be relevant to your case). Our redirect_uri was a URL with another URL embedded as an encoded path element. The URL-within-a-URL, doubly-encoded when passed to FB, had started causing problems with the Facebook API servers.

We resolved this by changing the encoding of the nested URL to a long hex number rather than % encoding, so all Facebook servers see is a simple redirect_uri containing some hex within the path, unaffected by normal URL encoding/decoding.

My suspicion is that Facebook changed the way they encoded/decoded their URL parameters, perhaps decoding twice.

If you're doing something like us, try this approach. If not, try an altogether different and simpler redirect_uri, to see if you can get something to work. And make sure you're correctly encoding/decoding all URL query parameters.

I've faced some strange Facebook behavior.

My site runs https and I've always got an error "Error validating verification code. Please make sure your redirect_uri is identical".

But then I've change https to http in redirect_uri and in developer panel (OAuth urls) then error disappear and authentification start to work correctly. But site still runs https...

Hope this helps someone.