令人惊讶的是，我刚刚开始尝试像一小时前那样做同样的事情并且一直有同样的问题。如果您进入FB开发人员门户并转到 Facebook登录下的设置，则可以选择强制使用HTTPS。

Amazingly I just started trying to do the same thing like an hour ago and have been having the same issue. If you go into the FB developer portal and go to Settings under Facebook Login there's an option to Enforce HTTPS.

进一步调查显示：

强制使用HTTPS。此设置需要使用HTTPS进行OAuth重定向，并且页面需要使用JavaScript SDK访问令牌。截至2018年3月创建的所有新应用都默认启用此设置，您应该计划将任何现有应用迁移到仅使用截至2019年3月的HTTPS URL。大多数主要的云应用程序主机为您的应用程序提供免费和自动的TLS证书配置。如果您自行托管您的应用程序或您的托管服务默认不提供HTTPS，您可以获得免费证书来自Let's Encrypt的域名。

"Enforce HTTPS. This setting requires HTTPS for OAuth Redirects and pages getting access tokens with the JavaScript SDK. All new apps created as of March 2018 have this setting on by default and you should plan to migrate any existing apps to use only HTTPS URLs by March 2019. Most major cloud application hosts provide free and automatic configuration of TLS certificates for your applications. If you self-host your app or your hosting service doesn't offer HTTPS by default, you can obtain a free certificate for your domain(s) from Let's Encrypt."

参考：登录安全