Ryan,

Looks like my URL got cut off, here it is with line breaks.

https://oauth2.constantcontact.com/oauth2/oauth/siteowner/authorize?

response_type=code&

client_id=API_KEY&

redirect_uri=https%3A%2F%2Flocalhost%2FPATH_TO_APPLICATION

As for other code, there is no other code that really matters. If you replace API_KEY in the URL above with my real API key, you can paste this into a browser and see that:

1. You correctly get taken to an OAUTH authorization page
2. After granting access, you are redirected to the following URL:

https://localhost/PATH_TO_APPLICATION?error=redirect_uri_mismatch&

error_description=Invalid%20redirect.

If things were working, I'd get redirected to:

https://localhost/PATH_TO_APPLICATION?code=AUTH_CODE

Note that I can change PATH_TO_APPLICATION to a real app location, same result. I can also use a server with a public hostname and not use localhost, same result.

Does that help?

Andy

This is working now. I hadn't realized I needed to attach the redirect URI value to my API key. It would be great to note this in your API docs.

Thanks,

Andy

Hey Andy,

I will be passing that information on to see if we can get that documentation updated.

I'm developing a web app that is using oauth 2 and it works fine when the URIs match as you say.  My problem is that I'll need this web app to run when installed at multiple client sites.  So the URI will always be different.  Is there anyway to not use the URI redirect in the key or any other work around to this.  I'd rather not create an api key for every client that runs this application.

-Paul

The normal way of handling this is to have a central server endpoint (or agent) that handles all requests and then sends it back to the correct client.  Since you can pass optional parameters to the server and the server will pass them back to you, you can tell which endpoint to redirect the information to.  Then your client will receive the update from your server agent and this flow will correctly work.

Thanks Dave. An agent sounds like it will work. I'll give that a try.

Hey Paul,

There are no work around as this is how the specification of oAuth2 was written.  At this time we don't have a way to verify more than one redirect URI to an API key.  The only work around that comes to mind is to use oAuth1 which you can find information for here. 

Please let me know if this helps.

I'm in the same boat here.  Trying to develop a module for the WHMCS billing system.  I'd like to provide this addon module to others who use WHMCS, but it seems that I can't use the key to redirect other users of this addon module to their own website.

This is pretty much a show stopper for enabling me to share this module with others, unless I make then generate their own key.  To say I'm disappointed is an understatement.  I am frustrated by this.  What a horrible limitation in this API.  Even more frustrating is that this looks like it's been the case for several years.

It seems there is no workaround to this, so I'm not asking for the answer.  Just expressing my deep disappointment and hoping that perhaps the API can be tweaked to allow this type of developing and sharing of code.

Richard

Hi Richard,

Thank you for your feedback on this and for sharing your experience with us. In this case, it is not likely that this will change, as the limitation that a redirect URI must always match is part of the OAuth 2.0 specification that we are implementing for authentication. Because this is a core part of the OAuth implementation, it is not likely that it will be changed. One aspect of that limitation is that this leaves using a central agent that can pass that redirect on to the correct user as the only option to implement this properly.

Best Regards,

   Hi.   With your sample files, I have configured the apikey with the Redirect URI, run the sample, click the "Get Access Token" button, a login appears, grant access to the application name defined in the apikey, click in "Grant Access".

   Tracking the HTML source code for this 'grant access' page, this contains data that seems to be ok, for example:

          <input name="preregistered_redirect_uri" value="http://www.myserver.com/socialn2/test/ccontact_sdk/examples/getAccessToken.php" type="hidden"/>

  This is the same link for the published page where the process started.    Is the same Redirect URI configured in the apikey.

  The process navigates to http://www.myserver.com/socialn2/test/ccontact_sdk/examples/getAccessToken.php?code=nIRSObZgeQcGjT0S...

   So it seems to be ok, but this page displays an error   "Error: redirect_uri_mismatch: Redirect URI mismatch"  when the next code is reached:

             $accessToken = $oauth->getAccessToken($_GET['code']);

   The link already contains a code, so it should work.

   Could you explain me what's going on?