I've been adding social sign-in buttons, aka "Sign In With Facebook/Twitter/Google" for IdeaFit, and stumbled upon this.
Facebook won't allow you to make an OAuth app live until you provide a Data Deletion Request Callback. The requirement seems to be coming from GDPR policy (on the other hand, Twitter doesn't force it).
Anyways, let me walk you through the implementation of the data deletion request callback in a typical Ruby on Rails application.
Facebook sends a POST request, and you should delete all the data associated with a particular user (personal data, posts, comments, etc.). It can be done asynchronously and even manually.
After she removes your application on Facebook, she is provided with an optional button labeled "Request to delete data". Clicking it results in Facebook sending you a signed request and then displaying the returned URL to the user to check the status later.
The first one will be used to check the status of the deletion request, and the second is the webhook we'll submit to Facebook.