Hello,
I'm trying to create a js function using fetch to refresh my access_token but it doesn't work. Every time I get the below error:
Access to fetch at 'https://idfed.constantcontact.com/as/token.oauth2' from origin 'myUrl' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
I'm guessing this works on the backend only??
Please advise!
Thanks,
Solved! Go to Solution.
Hello Jack,
My name is Caleb and I am a member of Constant Contact's API Developer Support.
You are correct, the OAuth Server flow that you are currently utilizing does not allow requests that come from browser or client-based applications. These types of applications leave their source code open to the public which when using the OAuth Server flow would result in your client secret being exposed.
Due to this, the server flow endpoint rejects any requests from these applications and returns the CORS Policy error that you have provided. In order for your application to function you will need to use the OAuth Client Flow which does not allow an access token to be refreshed and instead will have the user re-authorize the application with their account after the token has expired.
OAuth 2.0 Client Flow:
https://developer.constantcontact.com/api_guide/client_flow.html
Alternatively, you could have a server-sided application make the authentication requests using the OAuth Server flow which could then pass the authorization token to your client-sided application to be used in making the requests.
We also wanted to notate that we are looking into other authentication flows which would provide the same level of security as the current system, but would also allow for the tokens to be refreshed by the client side flow.
Hello Jack,
My name is Caleb and I am a member of Constant Contact's API Developer Support.
You are correct, the OAuth Server flow that you are currently utilizing does not allow requests that come from browser or client-based applications. These types of applications leave their source code open to the public which when using the OAuth Server flow would result in your client secret being exposed.
Due to this, the server flow endpoint rejects any requests from these applications and returns the CORS Policy error that you have provided. In order for your application to function you will need to use the OAuth Client Flow which does not allow an access token to be refreshed and instead will have the user re-authorize the application with their account after the token has expired.
OAuth 2.0 Client Flow:
https://developer.constantcontact.com/api_guide/client_flow.html
Alternatively, you could have a server-sided application make the authentication requests using the OAuth Server flow which could then pass the authorization token to your client-sided application to be used in making the requests.
We also wanted to notate that we are looking into other authentication flows which would provide the same level of security as the current system, but would also allow for the tokens to be refreshed by the client side flow.
Hello Caleb,
Thanks a lot for your wide explanation it clarified all my doubts. Indeed, it will be really useful to could implement this feature on the client-side to avoid uneeded server-requests. I'll stay tuned for your further updates.
Thanks and regards,
Announcements
Join our list to be notified of new features and updates to our V3 API.
Sign Up