From google:
For security, the
redirect_urimust have the same base domain as that specified in the App Domain property of your app’s settings, or be a URL of the formhttps://apps.facebook.com/YOUR_APP_NAMESPACE.
Also maybe localhost in redirect_uri is denied.
Why you don’t use Oauth2 gem?