@h7 Thanks, this helped, in my case with no need to make the app public. It's still "In Development", but working.
The settings at Facebook for Developers are like the following:
Settings > Basic
Display Name: Example Community Login
App Domains: example.com
Contact Email: firstname.lastname@example.org
Category: Some category
Site URL: https://example.com/community/
Facebook Login > Settings
[yes] Client OAuth Login
[yes] Web OAuth Login
[no] Force Web OAuth Reauthentication
[yes] Use Strict Mode for Redirect URIs
[yes] Enforce HTTPS
[no] Embedded Browser OAuth Login
Valid OAuth Redirect URIs: https://example.com/community/auth/facebook/callback
[no] Login from Devices
Well, not sure if all this is needed, but after many tests it's working this way.
There is also the interesting video Facebook SSO for NodeBB - YouTube, which is helpful although not complete.
When I enable the setting Make uploaded files private I expect profile images to go private as well, but it does not. I've tried to reupload avatars to check if the setting would apply to new uploads only, but there's no difference.
How do I make profile images accessibly to logged in users only?
Ugh. I spoke too soon. If I refresh the page, the href tag disappears!
That's really weird.....
I upgraded to v1.12.0 and the problem disappeared (and none of my plugins broke either).
Let us never speak of this again...