problem with authorization

SOLVED
Go to solution
user550237
Occasional Participant
this is my auth type 

 

OAuth Type: Authorization Code/Implicit
 

 

so i redirect user to to auth page

 

c1.png

 

after clicking access , it'll redirect back to website with code , stat parameters 

 

 

c2.png

according to the documentation , this code should work as access token for api calls but it doesn't work 

 

c3.png

 

 

i thought maybe i need to refresh and get token by sending a post request to 

https://authz.constantcontact.com/oauth2/default/v1/token

 

so i send this post request 

 

 

$response = $client->request('POST', 'https://authz.constantcontact.com/oauth2/default/v1/token' , [
'form_params' => [
'client_id' => env('CONSTANTCONTACT_CLIENT_ID') ,
'redirect_uri' => env('CONSTANTCONTACT_REDIRECT_URI'),
'code' => $code,
'code_verifier' => 'somerandomstring',
],
'headers' => [
'Content-Type' => 'application/x-www-form-urlencoded',
'Accept' => 'application/json'
]
]);

and i get 

 

{"error":"invalid_client","error_description":"Client authentication failed. Either the client or the client credentials are invalid."}

 im so confused nothing seems to work as documentation says 

1 ACCEPTED SOLUTION
Courtney_E
Moderator

Hello user550237,

 

Thank you for reaching out to Constant Contact API Developer Support. My team is here to assist outside software developers with questions about building into Constant Contact's API.

 

Sorry for any difficulty getting started with authorization, I know the process can seem a little daunting when first getting started. 

 

It looks like in your example, the authorization code was used in the authentication header instead of an access token, and that no tokens have been generated yet. The authorization code is meant to be exchanged for the access token and refresh token.

 

To get started with the V3 API, you’ll want to start by going through the V3 API OAuth2 Authorization Code Flow. Please note, after step 1, you should set up step 4 before proceeding, because the authorization code from steps 2 and 3 only has a lifespan of 5 minutes.

 

Here is how your initial Authorization Request URL should be formatted:

 

GET https://authz.constantcontact.com/oauth2/default/v1/authorize?client_id=________________&scope=_____...

 

Additionally, while it won’t return any errors if excluded from your Authorization Request, you’ll want to also include the new scope “offline_access”, which is now required for returning refresh tokens

 

Like so:

scope=contact_data+campaign_data+offline_access

 

Step 1: Create an Authorization Request

https://v3.developer.constantcontact.com/api_guide/server_flow.html#step-1-create-an-authorization-r...

 

Before getting the Authorization Code, we want to set up Step 4 (Get the Access Token and Refresh Token) ahead of time, because the Auth Code expires after 5 min and can only be used once.

 

Here is how the token request should be formatted:

 

POST

https://authz.constantcontact.com/oauth2/default/v1/token?code={auth_code}&redirect_uri=https://loca...

 

Additionally, for this endpoint, you’ll need the following headers. (If you haven’t already, for the Authorization header, you’ll want to include the string “key:secret” encoded with Base64, which you can do here: https://www.base64encode.org/ )

 

Headers:

“Content-Type” : “application/x-www-form-urlencoded”

“Authorization” : “Basic ______“

 

Step 4: Get the Access Token and Refresh Token

https://v3.developer.constantcontact.com/api_guide/server_flow.html#step-4-get-the-access-token-and-...

 

Now that we have that set up, we’ll take our Authorization Request URL and paste it into a browser, where it will have you log in, grant access, and then will provide you with the Authorization Code in the URL that you are redirected to.

 

Take the Authorization Code and put it where {auth_code} is in the Token request example I provided before.

 

Once you have your first set of tokens, you’ll want to set the access token and the refresh token as values for corresponding variables in your application, so that when your program runs through step 8 of the OAuth2 Authorization Code Flow

to get the new set of tokens it can assign the updated values to those variables to maintain an authenticated connection.

 

You can either have the application refresh the tokens on a timer based on the life of the access token (access token lifetime is a static 24 hours), or you can check to see if the access token is still active before each submission, and then use the refresh token to generate a new set of tokens if not.

 

In order to parse the JWT access token for the expiration date/time and/or granted scopes, I'd suggest looking for a standalone JWT decoder tool or setting up a decoder within your program’s code so that it can programmatically verify the remaining lifetime of the access token before attempting to refresh.

 

[3rd party resources]

JWT Decoder Tool Examples:
https://jwt.io/#debugger-io

https://developer.pingidentity.com/en/tools/jwt-decoder.html

Epoch & Unix Timestamp Conversion Tool Example:
https://www.epochconverter.com/

 

If you want your application to parse the JWT programmatically in your program’s code (the example we currently offer in the documentation is only in Java at this time), you can find instructions online regarding how to do this in different languages.

 

The OpenID Foundation maintains a list of libraries implementing JWT and JOSE specs, which may be a good starting point. Their list can be found here: https://openid.net/developers/jwt/

 

Next, make sure you are able to successfully refresh your token set. This cal is also to the token endpoint, but uses the refresh token instead of the code. You will want the same headers as we used when getting the first token set:

 

POST https://authz.constantcontact.com/oauth2/default/v1/token?refresh_token={refresh_token}&grant_type=r...

 

Step 8: Refresh the Access Token

https://v3.developer.constantcontact.com/api_guide/server_flow.html#step-8-refresh-the-access-token

 

Once authentication and token variables are set up, and you’re able to complete Step 8 (Refresh the Access Token), you can then use your current Access Token variable value to make calls to the API endpoints using the authorization header 'Authorization: Bearer {access_token}'.

 

Please have a look and let us know if you have any other questions!


Regards,

Courtney E.
Tier II API Support Engineer

Did I answer your question?
If so, please mark my post as an "Accepted Solution" by clicking the Accept as Solution button in the bottom right hand corner of this post.

View solution in original post

4 REPLIES 4
MasonA93
Regular Participant

I'm having the Unauthorized/Unauthorized issue as well. Been waiting for 4 days to get a response.

Courtney_E
Moderator

Hello user550237,

 

Thank you for reaching out to Constant Contact API Developer Support. My team is here to assist outside software developers with questions about building into Constant Contact's API.

 

Sorry for any difficulty getting started with authorization, I know the process can seem a little daunting when first getting started. 

 

It looks like in your example, the authorization code was used in the authentication header instead of an access token, and that no tokens have been generated yet. The authorization code is meant to be exchanged for the access token and refresh token.

 

To get started with the V3 API, you’ll want to start by going through the V3 API OAuth2 Authorization Code Flow. Please note, after step 1, you should set up step 4 before proceeding, because the authorization code from steps 2 and 3 only has a lifespan of 5 minutes.

 

Here is how your initial Authorization Request URL should be formatted:

 

GET https://authz.constantcontact.com/oauth2/default/v1/authorize?client_id=________________&scope=_____...

 

Additionally, while it won’t return any errors if excluded from your Authorization Request, you’ll want to also include the new scope “offline_access”, which is now required for returning refresh tokens

 

Like so:

scope=contact_data+campaign_data+offline_access

 

Step 1: Create an Authorization Request

https://v3.developer.constantcontact.com/api_guide/server_flow.html#step-1-create-an-authorization-r...

 

Before getting the Authorization Code, we want to set up Step 4 (Get the Access Token and Refresh Token) ahead of time, because the Auth Code expires after 5 min and can only be used once.

 

Here is how the token request should be formatted:

 

POST

https://authz.constantcontact.com/oauth2/default/v1/token?code={auth_code}&redirect_uri=https://loca...

 

Additionally, for this endpoint, you’ll need the following headers. (If you haven’t already, for the Authorization header, you’ll want to include the string “key:secret” encoded with Base64, which you can do here: https://www.base64encode.org/ )

 

Headers:

“Content-Type” : “application/x-www-form-urlencoded”

“Authorization” : “Basic ______“

 

Step 4: Get the Access Token and Refresh Token

https://v3.developer.constantcontact.com/api_guide/server_flow.html#step-4-get-the-access-token-and-...

 

Now that we have that set up, we’ll take our Authorization Request URL and paste it into a browser, where it will have you log in, grant access, and then will provide you with the Authorization Code in the URL that you are redirected to.

 

Take the Authorization Code and put it where {auth_code} is in the Token request example I provided before.

 

Once you have your first set of tokens, you’ll want to set the access token and the refresh token as values for corresponding variables in your application, so that when your program runs through step 8 of the OAuth2 Authorization Code Flow

to get the new set of tokens it can assign the updated values to those variables to maintain an authenticated connection.

 

You can either have the application refresh the tokens on a timer based on the life of the access token (access token lifetime is a static 24 hours), or you can check to see if the access token is still active before each submission, and then use the refresh token to generate a new set of tokens if not.

 

In order to parse the JWT access token for the expiration date/time and/or granted scopes, I'd suggest looking for a standalone JWT decoder tool or setting up a decoder within your program’s code so that it can programmatically verify the remaining lifetime of the access token before attempting to refresh.

 

[3rd party resources]

JWT Decoder Tool Examples:
https://jwt.io/#debugger-io

https://developer.pingidentity.com/en/tools/jwt-decoder.html

Epoch & Unix Timestamp Conversion Tool Example:
https://www.epochconverter.com/

 

If you want your application to parse the JWT programmatically in your program’s code (the example we currently offer in the documentation is only in Java at this time), you can find instructions online regarding how to do this in different languages.

 

The OpenID Foundation maintains a list of libraries implementing JWT and JOSE specs, which may be a good starting point. Their list can be found here: https://openid.net/developers/jwt/

 

Next, make sure you are able to successfully refresh your token set. This cal is also to the token endpoint, but uses the refresh token instead of the code. You will want the same headers as we used when getting the first token set:

 

POST https://authz.constantcontact.com/oauth2/default/v1/token?refresh_token={refresh_token}&grant_type=r...

 

Step 8: Refresh the Access Token

https://v3.developer.constantcontact.com/api_guide/server_flow.html#step-8-refresh-the-access-token

 

Once authentication and token variables are set up, and you’re able to complete Step 8 (Refresh the Access Token), you can then use your current Access Token variable value to make calls to the API endpoints using the authorization header 'Authorization: Bearer {access_token}'.

 

Please have a look and let us know if you have any other questions!


Regards,

Courtney E.
Tier II API Support Engineer

Did I answer your question?
If so, please mark my post as an "Accepted Solution" by clicking the Accept as Solution button in the bottom right hand corner of this post.
user550237
Occasional Participant

hi Courtney , thanx for the response  ... it's working now 
just one question ... can we use refresh token to get a new access token at anytime ? 

lets say we get access and refresh tokens and store them in our database 
for some reason close/not use the website for a month  ... when we go back online is it possible to get a new access token with the refresh token we got last month  ? 

 

basically im asking if refresh token has a expiration date 

Hello user550237,

Thank you for reaching out to Constant Contact API Developer Support.

Yes, you are correct. If you have stored the last refresh token generated, it will still work, regardless of how long the access token has been expired.

Rotating Refresh Tokens will not expire unless they have been used and/or a new token set has been generated. Rotating refresh tokens can only be used once, as generating a new set of tokens causes all previous refresh tokens to expire.

Please have a look and let us know if you have any other questions!


Regards,

Courtney E.
Tier II API Support Engineer

Did I answer your question?
If so, please mark my post as an "Accepted Solution" by clicking the Accept as Solution button in the bottom right hand corner of this post.
Resources
Developer Portal

View API documentation, code samples, get your API key.

Visit Page

Announcements

API Updates

Join our list to be notified of new features and updates to our V3 API.

Sign Up