Hello Team,
Mine usecase is we are recieve multtiple leads from various sources and as soon as receive this to our java application need to post the contact information without manual effort by users like implicit grant or device grant .... I am currenlty stuck at creating the token flow
it should execute at server side any point of time , please lead me to write direction and currenlty I saw https://developer.constantcontact.com/api_guide/auth_overview.html authorization some kind of user acceptance required.
Hello AvinashaN,
Thank you for reaching out to Constant Contact API Developer Support. My team is here to assist outside software developers with questions about building into Constant Contact's API.
Each of our current OAuth2 authorization flows requires the use of a browser to authorize an application on an account, but you should only need to do this once. After an account has authorized your application, you can utilize refresh tokens to maintain access and fully automate your application. For a server side application, I would recommend using either the Authorization Code flow or the Device flow. I’ll include documentation for both flows below as well as some instructions for starting out with the Authorization Code flow. The main difference between these flows is that the Device Flow does not require using redirect URLs, callbacks, or the client secret. Instead, it requires getting a device_code, and then the application’s client_id and the device_code are used to get an access token.
Authorization Code Flow:
https://developer.constantcontact.com/api_guide/server_flow.html
Device Flow:
https://developer.constantcontact.com/api_guide/device_flow.html
To get started with the V3 API, you’ll want to start by going through the V3 API OAuth2 Authorization Code Flow. Please note, after step 1, you should set up step 4 before proceeding, because the authorization code from steps 2 and 3 only has a lifespan of 5 minutes.
V3 API OAuth2 Authorization Code Flow
https://v3.developer.constantcontact.com/api_guide/server_flow.html
Once you have your first set of tokens, you’ll want to set the access token and the refresh token as values for corresponding variables in your application, so that when your program runs through step 8 of the OAuth2 Authorization Code Flow to get the new set of tokens it can assign the updated values to those variables to maintain an authenticated connection.
You can either have the application refresh the tokens on a timer based on the life of the access token (access token lifetime is a static 24 hours), or you can check to see if the access token is still active before each submission, and then use the refresh token to generate a new set of tokens if not.
In order to parse the JWT access token for the expiration date/time and/or granted scopes, I'd suggest looking for a standalone JWT decoder tool or setting up a decoder within your program’s code so that it can programmatically verify the remaining lifetime of the access token before attempting to refresh.
[3rd party resource] JWT Decoder Tool Examples: https://jwt.io/#debugger-io https://developer.pingidentity.com/en/tools/jwt-decoder.html
[3rd party resource] Epoch & Unix Timestamp Conversion Tool Example: https://www.epochconverter.com/
If you want your application to parse the JWT programmatically in your program’s code (the example we currently offer in the documentation is only in Java at this time), you can find instructions online regarding how to do this in different languages.
The OpenID Foundation maintains a list of libraries implementing JWT and JOSE specs, which may be a good starting point. Their list can be found here: https://openid.net/developers/jwt/
Once authentication is set up, and you’re able to complete Step 8 (Refresh the Access Token), you can then use your current Access Token variable value to make calls to the API endpoints.
Please have a look and let us know if you have any other questions!
Regards,
Hey John, noticing that the documentation for the Device flow regarding refreshing the Access Token in step 7 says the following: "If the access token expires, you can exchange it for a new access and refresh token using the Refresh the Access Token procedure."
The only Refresh the Access Token procedure I can find in the documentation is under the Authorization Code Flow page in Step 8, and it requires a client_secret to be used in the Authorization header. When I set up my application to use the Device Flow, it does not provide a client secret, so can you provide guidance on how to authorize a Device Flow access token refresh without a client_secret?
Hello AlitaM6,
Thank you for reaching out to Constant Contact API Developer Support. My team is here to assist outside software developers with questions about building into Constant Contact's API.
While it won’t return any errors if excluded from your Authorization Request (using either the Device Flow or the Authorization Code Flow) , you’ll want to also include the new scope “offline_access”, which is now required for returning refresh tokens
Like so:
scope=contact_data+campaign_data+offline_access
If you continue to experience difficulty, please feel free to reach out to our team directly/securely via email at webservices@constantcontact.com and reference case #30815162.
Please have a look and let us know if you have any other questions!
Yeah, I had to mess with this awhile to figure it out. Just don't pass the client secret, but instead populate your body with the following KVPs: refresh_token (the one you got from your initial token call after your device authentication), grant_type (refresh token), and client_id, and it'll work.
Announcements
Join our list to be notified of new features and updates to our V3 API.
Sign Up