Got a 'How do I' question? Join our live 'Ask a Trainer' session happening 11 am to 4 pm EST for instant help and pro tips!

Authorization Code Request: 400 - Invalid redirect_uri when adding query parameters

Amilia
Rookie

Hi,

 

I'm in the process of implementing OAuth 2.0 server flow authentication on my platform which serves multiple organizations with each their specific URL. Thus, on the Authorization Request call, I have to make use of additional query parameters by appending them to the redirect URI and encoding them to redirect my users after a successful authentication. Alas, adding any additional query parameters to my redirect URI gives me a 400 - Invalid redirect_uri error page indicating a mismatch between the redirect URI specified in the call and the one on my application settings.

 

Here's the redirect URI specified in my application settings:

http://www.amilia.localhost/Ws/ConstantContact/OAuthResponse

 

Here's the non-encoded redirect URI and appended query parameters I'm sending with the Authorization Request:

http://www.amilia.localhost/Ws/ConstantContact/OAuthResponse?orgId=3049

 

Here's the complete Authorization Code Request as I'm sending it to your servers with redacted Client ID:

https://api.cc.email/v3/idfed?response_type=code&client_id=<MY_CLIENT_ID>&scope=contact_data&redirect_uri=http%3a%2f%2fwww.amilia.localhost%2fWs%2fConstantContact%2fOAuthResponse%3forgId%3d3049

 

Here's the C# code responsible for redirecting the user to Constant Contact's servers for the Authorization Code Request:

 

public void AuthorizationCodeRequest(int orgId)
{
    var apiKey = <MY_CLIENT_ID>
    var redirectParams = $"?orgId={orgId}";
    var redirectUrl = HttpUtility.UrlEncode("http://www.amilia.localhost/Ws/ConstantContact/OAuthResponse" + redirectParams);
            
    var url = $"https://api.cc.email/v3/idfed?response_type=code&client_id={apiKey}&scope=contact_data&redirect_uri={redirectUrl}";

    HttpContext.Current.Response.Redirect(url);
}

 

With no additional query parameters, the authentication works fine and I'm able to get an Access Token with the returned code but as soon as I add any additional query parameters, I am met with the 400 - Invalid redirect_uri error page. I am not sure as to what I'm doing wrong here as adding query parameters to the redirect URI is supported as specified in the V3 API documentation.

12 REPLIES 12
Jimmy_D
Employee
0 Votes

Hi @Amilia,

 

I am currently looking in to this. Our v2 API works with this and our documentation and developers say this should work in the v3 API; however I'm having the same issue as you are.

 

Let me do a little more digging/testing on this and see what I can come up with.


Regards,
Jimmy D.
Tier II API Support Engineer
ERICW916
Rookie
0 Votes

Can we get an update on this issue as it is preventing me from moving forward.

Jimmy_D
Employee
0 Votes

Hi @ERICW916,

 

I have brought this up to our engineers and they are looking in to it. At this time I do not have an ETA; however if you would like an email when the issue is resolved you can email us at webservices@constantcontact.com and we can set that up.


Regards,
Jimmy D.
Tier II API Support Engineer
user88222
Rookie
0 Votes

It's been 3 months already and this is still not resolved.

Jimmy_D
Employee
0 Votes

Hi @user88222,

 

Thank you for reaching out to Constant Contact's API Support.

 

I have sent you a separate email; please look for it at the email address attached to your Constant Contact account.


Regards,
Jimmy D.
Tier II API Support Engineer
IntegrationT4
Constant Contact Partner
0 Votes

We are having the same issue here on our end, we are trying to pass a state parameter (or any non-constant parameter for that matter) in our redirect and it is being cleared out. Do you have a work around in place for this? 

ERICW916
Rookie
0 Votes

Yeah after 3 months, I have instructed our company to put this project on the backlog.  This is a clearly not adhering to the OAuth 2 standard as it should be stateless.  I do not want to resort to maintaining state as that is a dirty work around for what should be a simple solution.  If we could all get an ETA, I think we all could gauge our development efforts better and set customer's expectations, but it doesn't look like that is going to happen.

Jimmy_D
Employee

Hi @IntegrationT4 and @ERICW916,

 

You can use a wildcard when setting the redirect URI in the application settings of your API Key. Then when you use the redirect URI in your actual call it will work with different parameters. Here is an example.

 

In the settings for your API Key set this as your redirect URI.

https://localhost?id=*

 

When you add the redirect URI to the API call endpoint you can use different parameters in place of the wildcard.

https://idfed.constantcontact.com/as/token.oauth2?code={authorization_code}&redirect_uri=https://localhost?id=5&grant_type=authorization_code

 Your redirect URI will need to be encoded of course. 


Regards,
Jimmy D.
Tier II API Support Engineer
NickN416
Rookie
0 Votes

This appears to be the solution, perhaps you should add the wildcard to the documentation. Additional query strings were explicitly documented and permitted in the V2 API, however they are not mentioned at all in the documentation for the V3 API, and while it seems obvious now that you mention it, it certainly didn't appear obvious when we were trying to solve this problem by reading the documentaiton.

GregB1741
Rookie
0 Votes

Can the wildcard be in the path?  We use the restful concept of identifiers in the path, and use that with all of our other OAuth2 flows, e.g.

(unencoded) redirect uri: http://localhost/api/1.0/company/12345/auth

Jimmy_D
Employee
0 Votes

Hi @GregB1741,

 

The wildcard can be placed anywhere in the redirect URI.


Regards,
Jimmy D.
Tier II API Support Engineer
ERICW916
Rookie
0 Votes

As a developer, I sort of hate it when people tell me the following:

 

Hey, it's happening to me too.

 

But...hey it's happening to me too and I don't want to resort to Cookies or Local Storage to try to manage state unless this is going to be a long time to fix.  Without this capability it will be hard for us to know who we passed to constant contact.  I am sure you get that.

Resources
Developer Portal

View API documentation, code samples, get your API key.

Visit Page

Announcements

API Updates

Join our list to be notified of new features and updates to our V3 API.

Sign Up